b'Report No. D-2008-047          February 5, 2008\n\n\n\n\n  Contingency Planning for DoD Mission-Critical\n             Information Systems\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of the Deputy\n  Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nASD(NII)/CIO          Assistant Secretary of Defense for Networks and Information\n                         Integration/Chief Information Officer\nCIO                   Chief Information Officer\nCOOP                  Continuity of Operations Plan\nDITPR                 DoD Information Technology Portfolio Repository\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nFISMA                 Federal Information Security Management Act\nIG                    Inspector General\nMAC                   Mission Assurance Category\nODO                   Other Defense Organizations\n\x0c                                    INSPECTOR GENERAL\n                                   DEPARTMENT OF DEFENSE\n                                     400 ARMY NAVY DRIVE\n                                ARLINGTON, VIRGINIA 22202-4704\n\n\n                                                                                    February 5, 2008\n\nMEMORANDUM FOR DISTRIBUTION\n\nSUBJECT: Report on Contingency Planning for DoD Mission-Critical Information Systems\n         (Report No. D-2008-047)\n\n        We are providing this report for review and comment. The U.S. Strategic Command\nand the Business Transformation Agency did not respond to the draft report. When preparing\nthe final report, we considered management comments from the Assistant Secretary of\nDefense for Networks and Information Integration; the Departments of the Army, Navy, and\nAir Force; the U.S. Transportation Command; the Defense Contract Management Agency; the\nDefense Information Systems Agency; the Defense Logistics Agency; the Defense Threat\nReduction Agency; the Missile Defense Agency; and TRICARE Management Activity.\n\n       DoD Directive 7650.3 requires that all recommendations be resolved promptly. The\nDefense Information Systems Agency comments were responsive with the exception of\nRecommendation 2.e. We request that the Department of the Air Force, U.S. Strategic\nCommand, U.S. Transportation Command, Business Transformation Agency, Defense\nLogistics Agency, Missile Defense Agency, and TRICARE Management Activity provide\ncomments on the final report for Recommendations 2.a. through 2.j. See the Management\nComments Required table at the end of the finding section for the specific comments required.\n\n         We also request that comments be provided on the final report by the Assistant\nSecretary of Defense for Networks and Information Integration for Recommendations l.b.,\nl.d., 2.a., 2.b., 2.d., 2.e., 2.f., 2.g., 2.h., and 2.i.; the Army for Recommendations 2.c., 2.g.,\n2.h., and 2.i.; the Navy for Recommendations 2.a., 2.b., 2.c., 2.d., 2.e. 2.g., 2.h., 2.i., and 2.j.;\nthe Defense Contract Management Agency for Recommendations 2.b., 2.c., 2.d., 2.e., 2.f.,\n2.g., and 2.h.; the Defense Information Systems Agency for Recommendation 2.e.; and the\nDefense Threat Reduction Agency for Recommendations 2.a., 2.b., 2.c., 2.d., 2.e., 2.f., 2.g.,\nand 2.j. We request that management provide comments by March 5, 2008.\n\n        If possible, please send management comments in electronic format (Adobe Acrobat\nfile only) to AudROS@dodig.mil. Copies of the management comments must contain the\nactual signature of the authorizing official. We cannot accept the / Signed / symbol in place of\nthe actual signature. If you arrange to send classified comments electronically, they must be\nsent over the SECRET Internet Protocol Router Network (SIPRNET).\n\n         We appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Kimberley A. Caprio at (703) 604-9202 (DSN 664-9202) or Ms. Karen 1. Goff at (703)\n604-9005 (DSN 664-9005). See Appendix D for the report distribution. The team members\nare listed inside the back cover.\n\n                                       By direction of the Deputy Inspector General for Auditing:\n                                                                             :0;\n                                   ~~~,\n                                     obert F. Prinzbach II\n                                    Acting Assistant Inspector General\n                                    Readiness and Operations Support\n\x0cDISTRIBUTION:\n\nUNDER SECRETARY OF DEFENSE FOR ACQUISITION, TECHNOLOGY,\n   AND LOGISTICS\nASSISTANT SECRETARY OF DEFENSE FOR NETWORKS AND INFORMATION\n   INTEGRATION /CHIEF INFORMATION OFFICER\nCOMMANDER, U.S. STRATEGIC COMMAND\nCOMMANDER, U.S. TRANSPORTATION COMMAND\nASSISTANT SECRETARY OF THE AIR FORCE (FINANCIAL MANAGEMENT AND\n   COMPTROLLER)\nASSISTANT SECRETARY (WARFIGHTING INTEGRATION) AND CHIEF\n      INFORMATION OFFICER, DEPARTMENT OF THE AIR FORCE\nDIRECTOR, BUSINESS TRANSFORMATION AGENCY\nDIRECTOR, DEFENSE CONTRACT MANAGEMENT AGENCY\nDIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY\nDIRECTOR, DEFENSE LOGISTICS AGENY\nDIRECTOR, DEFENSE THREAT REDUCTION AGENCY\nDIRECTOR, MISSILE DEFENSE AGENCY\nDIRECTOR, TRICARE MANAGEMENT ACTIVITY\nCHIEF INFORMATION OFFICER, DEPARTMENT OF THE ARMY\nCHIEF INFORMATION OFFICER, DEPARTMENT OF THE NAVY\n   DEPUTY CHIEF INFORMATION OFFICER, U.S. MARINE CORPS\nCHIEF INFORMATION OFFICER, U.S. STRATEGIC COMMAND\nCHIEF INFORMATION OFFICER, U.S. TRANSPORTATION COMMAND\nCHIEF INFORMATION OFFICER, DEFENSE CONTRACT MANAGEMENT AGENCY\nCHIEF INFORMATION OFFICER, DEFENSE INFORMATION SYSTEMS AGENCY\nCHIEF INFORMATION OFFICER, DEFENSE LOGISTICS AGENY\nCHIEF INFORMATION OFFICER, DEFENSE THREAT REDUCTION AGENCY\nCHIEF INFORMATION OFFICER, MISSILE DEFENSE AGENCY\nCHIEF INFORMATION OFFICER, TRICARE MANAGEMENT ACTIVITY\nNAVAL INSPECTOR GENERAL\nAUDITOR GENERAL, DEPARTMENT OF THE ARMY\n\x0c                Department of Defense Office of Inspector General\nReport No. D-2008-047                                                    February 5, 2008\n   (Project No. D2007-D000LB-0080.000)\n\n                Contingency Planning for DoD Mission-Critical\n                            Information Systems\n\n                                  Executive Summary\nWho Should Read This Report and Why? DoD Component Chief Information Officers\nand system owners conducting contingency planning for DoD information systems\xe2\x80\x94in\nparticular, DoD officials responsible for developing, testing, and approving system\ncontingency plans\xe2\x80\x94should read this report to properly plan and test their information\nsystems before a contingent event. Also, DoD officials responsible for reporting\ncontingency information to the Office of Management and Budget and Congress should\nread this report.\n\nBackground. Section 301, Public Law 107-347, Title III, \xe2\x80\x9cFederal Information Security\nManagement Act of 2002,\xe2\x80\x9d December 17, 2002, of the E-Government Act of 2002 requires\neach Federal agency to develop, document, and implement an agency-wide information\nsecurity program. The Federal Information Security Management Act requires that\nFederal agency information security programs provide, among other things, plans and\nprocedures for the continuity of operations for agency information systems to continue\noperations during a disruptive or catastrophic event. This is called contingency planning.\nDoD uses the DoD Information Technology Portfolio Repository (DITPR) as its primary\ninformation source for reporting on the security status of its DoD information systems for\nthe Federal Information Security Management Act.\n\nDITPR is the DoD authoritative repository of unclassified information for DoD\ninformation systems used to meet a variety of internal and external reporting requirements.\nChief Information Officers of DoD Components are required to report in DITPR their\ninventory of information systems and must annually certify, in writing, that the\nComponent\xe2\x80\x99s information in DITPR is complete and accurate. The system information in\nDITPR includes information on contingency planning, such as whether system owners\ndeveloped and tested system contingency plans.\n\nContingency planning is the interim measure used to recover information technology\nservices following an emergency or system disruption. Contingency planning is especially\nimportant for mission-critical systems. The loss of operations of mission-critical systems\nwould cause the stoppage of warfighter operations. The Assistant Secretary of Defense for\nNetworks and Information Integration/DoD Chief Information Officer is required to\ndevelop and oversee contingency policies and planning for the stabilization and\nreconstruction of DoD operations.\n\nOn January 24, 2007, the date of the audit announcement, DoD reported in DITPR\n436 mission-critical information technology systems requiring information assurance\ncertification and accreditation. From the 436 systems, we statistically selected an audit\nsample of 240 systems for data analysis. We projected our results to all 436 DoD\nmission-critical information systems reported in DITPR as of January 24, 2007. See\nAppendix B for a list of the 240 mission-critical information systems in our sample.\n\nResults. The information in DITPR on contingency planning is not reliable on the basis of\nsample results. We projected that, of 436 mission-critical information systems requiring\n\x0cinformation assurance certification and accreditation, 264 systems (61 percent) lacked a\ncontingency plan or their owners could not provide evidence of a plan, 358 systems\n(82 percent) had contingency plans that had not been tested or for which their owners\ncould not provide evidence of testing, 410 systems (94 percent) had incorrect testing\ninformation reported in DITPR, and 37 systems (8 percent) had incorrect contingency plan\ninformation reported in DITPR. As a result, DoD mission-critical systems may not be able\nto sustain warfighter operations during a disruptive or catastrophic event. Further, DoD\nprovided erroneous information to Congress and the Office of Management and Budget on\nwhether DoD had contingency planning procedures in place and periodically tested the\nprocedures necessary to recover the systems from an unforeseen, and possibly devastating,\nevent. See the Finding section of the report for the detailed recommendations.\n\nASD(NII)/CIO did not implement management controls by establishing a comprehensive\nand overarching contingency planning policy. Further, DoD Component CIOs did not\nimplement management controls to verify that system owners developed and tested system\ncontingency plans as required or to support the assertions in their CIO Certification\nMemorandums about the completeness and accuracy of their information in DITPR.\n\nManagement Comments. The U.S. Strategic Command and the Business Transformation\nAgency did not respond to the draft report, issued on October 2, 2007. With the exception\nof Recommendations 1.c., 2.a., and 2.d. the Assistant Secretary of Defense for Networks\nand Information Integration concurred with the recommendations. The Departments of the\nArmy and Navy concurred and the Defense Contract Management Agency partially\nconcurred with the recommendations. Although the Defense Information Systems Agency\ncomments did not state concurrence, the comments indicated concurrence. The Defense\nThreat Reduction Agency nonconcurred with Recommendation 2.c. and partially\nconcurred with some of the recommendations.\n\nThe Air Force and the U.S. Transportation Command commented on the finding of the\ndraft report; however, the comments did not indicate concurrence, proposed actions, or\ncompletion dates to the recommendations. The Defense Logistics Agency, Missile\nDefense Agency, and TRICARE Management Activity concurred with the\nrecommendations; however, did not indicate proposed actions or completion dates. The\nU.S. Marine Corps provided unsolicited comments to the finding and Recommendation 2.\nand the Defense Threat Reduction Agency provided unsolicited comments to\nRecommendation 1.\n\nManagement Comments Required. We request that the U.S. Strategic Command and\nthe Business Transformation Agency provide comments to the final report on\nRecommenda-tions 2.a. through 2.j. Further, we request that the Department of the\nAir Force, U.S. Transportation Command, Defense Logistics Agency, Missile Defense\nAgency, and TRICARE Management Activity provide comments on the final report\nregarding proposed actions and their completion dates for Recommendations 2.a.\nthrough 2.j.\n\nWe also request that comments on the final report be provided by the:\n\n       \xe2\x80\xa2   Assistant Secretary of Defense for Networks and Information Integration\xe2\x80\x94\n           Recommendations 1.b., 1.d., 2.a., 2.b., 2.d., 2.e., 2.f., 2.g., 2.h., and 2.i.;\n\n       \xe2\x80\xa2   Army\xe2\x80\x94Recommendations 2.c., 2.g., 2.h., and 2.i.;\n\n       \xe2\x80\xa2   Navy\xe2\x80\x94Recommendations 2.a., 2.b., 2.c., 2.d., 2.e. 2.g., 2.h., 2.i., and 2.j.;\n\n                                              ii\n\x0c       \xe2\x80\xa2   Defense Contract Management Agency\xe2\x80\x94Recommendations 2.b., 2.c., 2.d.,\n           2.e., 2.f., 2.g., and 2.h.;\n\n       \xe2\x80\xa2   Defense Information Systems Agency\xe2\x80\x94Recommendation 2.e.; and\n\n       \xe2\x80\xa2   Defense Threat Reduction Agency\xe2\x80\x94Recommendations 2.a., 2.b., 2.c., 2.d.,\n           2.e., 2.f., 2.g., and 2.j.\n\nWe request that management provide comments by March 5, 2008. See the Finding\nsection of the report and Appendix C for a discussion of management comments and the\nManagement Comments section of the report for the complete text of the comments.\n\n\n\n\n                                          iii\n\x0c\x0cTable of Contents\n\nExecutive Summary                                                                i\n\nBackground                                                                      1\n\nObjectives                                                                      2\n\nReview of Internal Controls                                                     2\n\nFinding\n     Contingency Planning for DoD Mission-Critical Information Systems          3\n\nAppendixes\n     A. Scope and Methodology                                                  37\n         Prior Coverage                                                        40\n     B. DoD Mission-Critical Systems Sampled                                   41\n     C. Management Comments on the Finding, Unsolicited Comments on the\n          Finding and Recommendations, and Audit Response                      52\n     D. Report Distribution                                                    55\n\nManagement Comments\n     Assistant Secretary of Defense for Networks and Information Integration    59\n     Department of the Army                                                     68\n     Department of the Navy                                                     77\n     Department of the Air Force                                                80\n     U.S. Transportation Command                                                81\n     Defense Contract Management Agency                                         83\n     Defense Information Systems Agency                                         87\n     Defense Logistics Agency                                                   91\n     Defense Threat Reduction Agency                                            92\n     Missile Defense Agency                                                     98\n     TRICARE Management Activity                                                99\n     U.S. Marine Corps                                                         102\n\x0c\x0cBackground\n           Section 301, Public Law 107-347, Title III, \xe2\x80\x9cFederal Information Security\n           Management Act of 2002,\xe2\x80\x9d December 17, 2002, of the E-Government Act\n           of 2002 requires that Federal agencies develop, document, and implement an\n           agency-wide information security program. The Federal Information Security\n           Management Act (FISMA) requires that Federal agency information security\n           programs provide, among other things, plans and procedures for the continuity of\n           operations for agency information systems. FISMA also requires that each\n           Federal agency report annually to the Office of Management and Budget and\n           Congress on the adequacy and effectiveness of its information security policies,\n           procedures, and practices, which include contingency planning. DoD uses the\n           DoD Information Technology Portfolio Repository (DITPR) as its primary source\n           of information for FISMA reporting.\n\n           DoD Information Technology Portfolio Repository. DoD Chief Information\n           Officer (CIO) Memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Information\n           Technology (IT) Portfolio Repository (DITPR) and DoD SIPRNet IT Registry\n           Annual Guidance for 2006,\xe2\x80\x9d May 17, 2006 (FY 2006 DITPR Guidance), states\n           that DITPR is the sole DoD authoritative repository of unclassified information\n           for DoD information systems. DoD uses DITPR to meet a variety of internal and\n           external reporting requirements, including FISMA reporting. The DoD\n           Component CIOs are required to report in DITPR their inventory of information\n           systems and must annually certify, in writing, that the Component\xe2\x80\x99s information\n           in DITPR is complete and accurate. The system information in DITPR includes\n           contingency planning information\xe2\x80\x94specifically, whether system owners\n           developed and tested system contingency plans.\n\n           Information is entered into DITPR by the Components using either batch uploads\n           from their internal information technology systems or by working online in\n           DITPR directly. Of the organizations reviewed, the Army, Navy, Air Force,\n           Marine Corps, and TRICARE Management Activity update their DITPR\n           information by batch upload. The remainder of the Components reviewed enter\n           and edit their DITPR information online.\n\n           Contingency Planning. Contingency planning is the interim measure used to\n           recover information technology services following an emergency or system\n           disruption. Contingency planning is especially important for mission-critical\n           systems. The loss of mission-critical system operations would cause the stoppage\n           or direct mission support of warfighter operations. DoD Directive 5144.1,\n           \xe2\x80\x9cAssistant Secretary of Defense for Networks and Information Integration/DoD\n           Chief Information Officer (ASD(NII)/CIO),\xe2\x80\x9d May 2, 2005, requires that\n           ASD(NII)/CIO develop and oversee contingency policies and planning for the\n           stabilization and reconstruction of DoD operations. DoD Instruction 5200.40,\n           \xe2\x80\x9cDoD Information Technology Certification and Accreditation Process\n           (DITSCAP),\xe2\x80\x9d December 30, 1997,1 requires that system owners prepare\n\n1\n    Subsequent to the audit, DoD Instruction 5200.40 was cancelled and replaced with DoD\n    Instruction 8510.01, \xe2\x80\x9cDoD Information Assurance Certification and Accreditation Process (DIACAP),\xe2\x80\x9d\n    November 28, 2007.\n\n\n\n                                                    1\n\x0c          contingency plans as part of the information assurance certification and\n          accreditation process of a system.\n\n          We queried DITPR on January 24, 2007, the date of our audit announcement, to\n          identify the universe of DoD mission-critical information technology systems\n          requiring information assurance certification and accreditation. The certification\n          and accreditation process encompasses the actions taken by owners of a system to\n          protect the system\xe2\x80\x99s information. Owners accomplish this by implementing\n          information assurance controls designed to protect the availability, integrity,\n          authentication, confidentiality, and non-repudiation of a system\xe2\x80\x99s information.\n\n          Our query resulted in a universe of 436 mission-critical information systems\n          requiring information assurance certification and accreditation. The 436 systems\n          included 110 Army, 97 Navy, 85 Air Force, 50 Marine Corps, and 94 Other\n          Defense Organizations (ODO).2 From a population of 436 systems, we\n          statistically selected an audit sample of 240 systems. The audit sample consisted\n          of 60 Army, 54 Navy, 50 Air Force, 26 Marine Corps and 50 ODO systems. We\n          projected our results to the universe of 436 DoD mission-critical information\n          systems reported in DITPR as of January 24, 2007. See Appendix B for the\n          240 systems sampled.\n\n\nObjectives\n          Our overall audit objective was to assess the reliability of contingency planning\n          data reported in DITPR for selected information systems. Specifically, we\n          assessed system owners\xe2\x80\x99 compliance with reporting requirements for contingency\n          planning information. See Appendix A for a discussion of the scope and\n          methodology and prior coverage related to the objectives.\n\n\nReview of Internal Controls\n          We identified internal control weaknesses for ASD(NII)/CIO as defined by DoD\n          Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d\n          January 4, 2006. ASD(NII)/CIO did not establish a comprehensive and\n          overarching contingency planning policy. Further, DoD Component CIOs did not\n          implement management controls to verify that system owners developed and\n          tested system contingency plans as required or to support the assertions in their\n          CIO Certification Memorandums about the completeness and accuracy of their\n          information in DITPR. Implementing Recommendations 1. and 2. will improve\n          ASD(NII)/CIO and Component CIO reporting of contingency planning\n          information in DITPR. We will provide a copy of the report to the senior official\n          responsible for internal controls at ASD(NII)CIO in February 2008.\n\n\n\n2\n    An ODO is either a Defense agency or a combatant command.\n\n\n\n                                                   2\n\x0c                    Contingency Planning for DoD\n                    Mission-Critical Information Systems\n                    The information in DITPR on contingency planning is not reliable on the\n                    basis of sample results. We projected that, of 436 mission-critical\n                    information systems requiring information assurance certification and\n                    accreditation:\n\n                             \xe2\x80\xa2   264 systems (61 percent) lacked a contingency plan or their\n                                 owners could not provide evidence of a plan;\n\n                             \xe2\x80\xa2   358 systems3 (82 percent) had contingency plans that had not\n                                 been tested or for which their owners could not provide\n                                 evidence of testing;\n\n                             \xe2\x80\xa2   410 systems (94 percent) had incorrect testing information\n                                 reported in DITPR; and\n\n                             \xe2\x80\xa2   37 systems (8 percent) had incorrect contingency plan\n                                 information reported in DITPR.\n\n                    These security weaknesses occurred because ASD(NII)/CIO did not\n                    establish a comprehensive contingency planning policy. Additionally, the\n                    Component CIOs did not implement management controls to verify that\n                    system owners developed or tested system contingency plans. The\n                    Component CIOs also did not implement Component-level automated\n                    controls to ensure complete and accurate reporting in DITPR. As a result,\n                    DoD mission-critical systems may not be able to sustain warfighter\n                    operations during a disruptive or catastrophic event. Further, DoD\n                    provided erroneous information to Congress and the Office of\n                    Management and Budget on whether DoD had procedures in place and\n                    periodically tested the procedures necessary to recover the systems from\n                    an unforeseen, and possibly devastating, event.\n\n\nPreparing Contingency Plans\n           DoD Instruction 5200.40 requires that system owners prepare contingency plans\n           as part of the information assurance certification and accreditation process of a\n           system. The certification and accreditation process encompasses the actions\n           taken by owners of a system to protect the system\xe2\x80\x99s information. Owners\n           accomplish this by implementing information assurance controls designed to\n           protect the availability, integrity, authentication, confidentiality, and\n           nonrepudiation of a system\xe2\x80\x99s information. On January 24, 2007, the date of the\n           audit announcement, DoD reported in DITPR 436 mission-critical information\n3\n    The figure 358 was a result of sampling and computed independently. The figure does not reflect a total\n    of the 97 Army, 86 Navy, 85 Air Force, 50 Marine Corps, and 39 ODO systems identified in this report\n    whose system owners did not test or provide evidence of testing their system\xe2\x80\x99s contingency plan.\n\n\n\n                                                      3\n\x0c          technology systems requiring information assurance certification and\n          accreditation. Out of the 436 systems, we statistically selected 240 systems for\n          data analysis. On the basis of sample results, we projected that owners of 2644 of\n          436 mission-critical DoD systems did not develop or could not provide evidence\n          of the systems contingency plan.\n\n          We requested that DoD Components provide us with the approved, signed copy\n          of the system\xe2\x80\x99s contingency plan for the 240 systems sampled. When the\n          Component did not provide a plan for the sampled systems, we stated that the\n          system owner did not provide evidence of having developed a plan for that\n          system. When system owners provided documentation, we reviewed the\n          documentation to determine whether it met contingency plan requirements. See\n          Appendix A for more on our methodology.\n\n          Army. On the basis of sample results, we projected that owners for 57 of the\n          Army\xe2\x80\x99s 110 mission-critical systems (52 percent) did not develop or could not\n          provide evidence of a contingency plan. Army system owners provided various\n          reasons for not developing or providing system plans. For example, two system\n          owners stated that because the system was a mission support system it did not\n          require a plan. However, according to DITSCAP, system owners are required to\n          develop a system contingency plan regardless of the system\xe2\x80\x99s mission criticality.\n          Another system owner who could not provide a copy of the system\xe2\x80\x99s plan planned\n          to delete the system from DITPR; however, the owner reported in DITPR that a\n          plan had been developed for the system. Another system owner planned to\n          transfer the system to another DoD Component and delete the system from\n          DITPR. The owner, however, could not provide a copy of the system\xe2\x80\x99s plan and,\n          at the time of our review, continued to report the system as owned by the Army.\n\n          Army system owners also provided documents that did not meet contingency plan\n          requirements. For example, system owners provided continuity of operations\n          plans (COOPs) that made no mention of the system under review. A COOP\n          restores mission and organizational operations, which may not always include the\n          restoration of an information system. One system owner provided a COOP\n          stating that its purpose was to restore command operations. The COOP, however,\n          did not include contingency planning for the information system sampled.\n          Three system owners provided documents stating that unit commanders were\n          responsible for developing their systems\xe2\x80\x99 contingency plans. However, Army\n          officials could not provide the contingency plans for the three systems sampled.\n          Further, the documents did not provide unit commanders with instructions for\n          developing the system plans. In addition, two system owners provided\n          contingency plans prepared specifically for the year 2000 conversion that did not\n          identify procedures to recover the system from other disruptive events. The\n          year 2000 conversion plans were more than 7 years old and did not state that the\n          procedures identified in the plan were valid for the system\xe2\x80\x99s current environment.\n\n          Navy. On the basis of sample results, we projected that owners of 68 of the\n          Navy\xe2\x80\x99s 97 mission-critical information systems (70 percent) did not develop or\n          could not provide evidence of a contingency plan. System owners provided\n          various reasons for not providing system plans. For example, one system owner\n4\n    The 264 systems include 57 Army, 68 Navy, 68 Air Force, 50 Marine Corps, and 21 ODO systems.\n\n\n\n                                                   4\n\x0csaid the system was terminated. Another system owner who could not provide a\ncontingency plan removed the system from DITPR because it was a network, not\nan information technology system. However, DITSCAP requires that system\nowners certify and accredit networks, as well as information systems. Therefore,\nthe system owner should have prepared a contingency plan for the network.\n\nNavy system owners provided documents that did not meet contingency plan\nrequirements. For example, system owners provided technical manuals and\nheadquarters COOPs. The documents, however, did not include contingency\nplans specific to their information system to recover from a disruptive event or\nemergency. System owners also provided one-page documents stating that the\ncontingency plan was the responsibility of the information assurance manager.\nNavy officials, however, could not provide contingency plans for those systems.\nFurther, the one-page documents did not provide guidance to the information\nassurance managers on how to recover the system from a disruptive event.\n\nAir Force. On the basis of sample results, we projected that owners of 68 of the\nAir Force\xe2\x80\x99s 85 mission-critical information systems (80 percent) did not develop\nor could not provide evidence of a contingency plan. System owners provided\ndocuments that did not meet contingency plan requirements. One system owner\nprovided task cards rather than a contingency plan. Task cards provide personnel\nwith procedures for the orderly evacuation of personnel in case of fire, natural\ndisaster, bomb threat, or other emergency. The tasks cards did not discuss\nprocedures for restoring an information system\xe2\x80\x99s operations after a disruptive\nevent. Another system owner provided a risk management plan that did not\nidentify a contingency plan for the information system. Lastly, one system owner\nprovided the system\xe2\x80\x99s COOP, which stated that users should use it in conjunction\nwith the system\xe2\x80\x99s contingency plan. The system owner, however, could not\nprovide the contingency plan.\n\nMarine Corps. On the basis of sample results, we projected that system owners\nfor all of the Marine Corps\xe2\x80\x99 50 mission-critical information systems (100 percent)\ndid not develop or could not provide evidence of a contingency plan. System\nowners reported in DITPR for the 26 systems sampled that they had developed a\ncontingency plan for the system. However, Marine Corps system owners\nprovided one document for all 26 systems sampled\xe2\x80\x94an appendix from the\nMarine Corps Logistics Command Security System Authorization Agreement\xe2\x80\x94as\nevidence that they had prepared contingency plans for the 26 systems.\nMarine Corps system owners also provided a memorandum stating that the\nappendix covered contingency planning procedures for the 26 systems under\nreview. The five-page appendix, however, did not mention the 26 systems or\nprovide contingency planning procedures for the systems.\n\nOther DoD Organizations. Based on our sample results, we projected that\nowners of 21 of 94 ODO mission-critical information systems (22 percent) did\nnot develop or could not provide evidence of a contingency plan. System owners\nstated that their systems did not have plans because the systems were,\nrespectively, a pilot project, a network appliance, or a predeployment system.\nHowever, none of the reasons given by system owners precluded them from\ndeveloping contingency plans. The owner of each system reported in DITPR that\nit required certification and accreditation; therefore, each system required a\n\n\n                                    5\n\x0c           contingency plan. Other system owners stated that the contractors operating their\n           systems could not release the contingency plans to the Government because the\n           plans contained proprietary information. The Component CIO should require that\n           the contractors remove the proprietary information from the contingency plan and\n           immediately provide the Government with a copy.\n\n           On the basis of our review of the contingency plans that did meet requirements,\n           we found no consistency among the contingency plans prepared by system\n           owners within DoD. Each plan contained varying degrees of information. For\n           example, some plans contained system descriptions, system configurations\n           schematics, and disaster recovery scenarios, while other plans did not.\n           Additionally, some plans detailed the frequency of data backups, measures to\n           protect critical software, and procedures for startup at alternate sites, while most\n           plans did not.\n\n\nContingency Plan Testing\n           Despite evidence presented in the previous section of this report that system\n           owners could not demonstrate they had developed a contingency plan for their\n           system, owners still reported in DITPR on January 24, 2007, that, for 235 of the\n           240 systems sampled, they had tested the system\xe2\x80\x99s plan. System owners for the\n           remaining five systems left blank the data field in DITPR that asks about\n           contingency plan testing. We requested that system owners provide testing\n           documents to support the date of the contingency plan test that owners reported in\n           DITPR as of January 24, 2007.\n\n           On the basis of sample results, we projected that owners of 358 of 436 DoD\n           mission-critical systems did not test or could not provide evidence that they tested\n           system contingency plans. DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\n           Implementation,\xe2\x80\x9d February 6, 2003, requires that system owners test contingency\n           plans based on the system\xe2\x80\x99s MAC (Mission Assurance Category). System owners\n           are required to designate their system as a MAC I, II, or III. The MAC designates\n           the importance of the information in relation to the achievement of DoD goals and\n           objectives, particularly the warfighter\xe2\x80\x99s combat mission.\n\n           DoD Instruction 8500.2 requires that system owners test MAC I systems twice a\n           year and MAC II and III systems once yearly. DoD CIO Memorandum,\n           \xe2\x80\x9cDepartment of Defense (DoD) Federal Information Security Management Act\n           (FISMA) Guidance for Fiscal Year 2006 (FY 06),\xe2\x80\x9d April 4, 2006 (FY 2006\n           FISMA Guidance), requires that system owners test the procedures in their\n           contingency plans using tabletop5 or functional6 exercises and document the\n           testing results. We based our review on the requirements in the FY 2006 FISMA\n           Guidance because its deadline for updating DITPR, December 1, 2006, coincided\n\n5\n    Participants of a tabletop exercise walk through the procedures without any actual recovery operations\n    occurring. Tabletop exercises are the most basic and least costly of the two types of exercises.\n6\n    Functional exercises include simulations and war gaming. Often, scripts are written for role players\n    pretending to be external organization contacts. A functional exercise can include actual relocation to the\n    alternate site.\n\n\n\n                                                        6\n\x0cmost closely with the date on which we announced our audit and obtained our\naudit universe, January 24, 2007. Also, the DoD CIO did not issue the follow-on\nmemorandum, \xe2\x80\x9cDepartment of Defense (DoD) Federal Information Security\nManagement Act (FISMA) Guidance for Fiscal Year 2007 (FY07),\xe2\x80\x9d May 21,\n2007 (FY 2007 FISMA Guidance), until 4 months after we announced our audit\nand obtained the audit universe. Further, as part of the FY 2006 FISMA\nGuidance, the DoD CIO included supplemental information on the types of\ncontingency plan exercises system owners should conduct and required owners to\ndocument the exercises. However, the DoD CIO omitted that supplemental\ninformation from the FY 2007 FISMA Guidance.\n\nArmy. On the basis of sample results, we projected that owners of 97 of the\nArmy\xe2\x80\x99s 110 mission-critical information systems (88 percent) did not test or\ncould not provide evidence that they tested a contingency plan. As evidence of\ntesting, owners of systems in our sample provided memorandums for record,\nexecution papers, and e-mail responses dated after our request for information.\nThe FY 2006 FISMA Guidance requires that system owners maintain documents\non contingency plan testing. We did not consider responses or documents\nprepared in response to our data request as evidence of contingency plan testing.\nSome system owners provided actual testing documents, but only two of the\ndocuments confirmed that testing was done on the date reported in DITPR. Other\nsystem owners provided a contingency plan that was dated after the testing date\nreported in DITPR.\n\nNavy. On the basis of sample results, we projected that owners of 86 of the\nNavy\xe2\x80\x99s 97 mission-critical information systems (89 percent) did not test or could\nnot provide evidence that they tested their systems\xe2\x80\x99 contingency plans. Owners\nof the Navy\xe2\x80\x99s systems we sampled entered a date in DITPR indicating when they\nlast tested the contingency plan but did not always provide testing documents\nsupporting that date. For example, some system owners did not provide any\ndocumentation, while others provided documentation that did not match the test\ndate in DITPR. Specifically, system owners provided memorandums for record,\nprepared after the date of our data request, certifying that they tested the system\ncontingency plan on the date reported in DITPR. We did not consider responses\nor documents prepared in response to our data request as evidence of contingency\nplan testing. We concluded that the system owners did not document the testing\nof the contingency plan as required by the FY 2006 FISMA Guidance.\n\nIn addition, Navy system owners provided COOP checklists identifying\nprocedures that owners should include in their COOP plan. The COOP checklists\nwere not specific to the systems under review. System owners also provided\nexercise and drill schedules and stated that they interviewed their information\nassurance officer to verify that exercises were completed. The COOP checklists\nand exercise and drill schedules did not document the actual completion of a\ncontingency plan test. The COOP checklist also did not support that system\nowners conducted a contingency plan test on the date they reported in DITPR.\n\nFurther, few system owners documented testing results for their systems\xe2\x80\x99\ncontingency plans as required by the FY 2006 FISMA Guidance. Among system\nowners who did document testing results, most provided documents with dates\n\n\n\n                                     7\n\x0cthat did not match those reported in DITPR. In fact, some testing documents bore\ndates preceding the date of the contingency plan provided.\n\nAir Force. On the basis of sample results, we projected that owners of all of the\nAir Force\xe2\x80\x99s 85 mission-critical information systems (100 percent) did not test or\ncould not provide evidence of testing the contingency plan as required by DoD\nInstruction 8500.2 and the FY 2006 FISMA Guidance. We gave Air Force\nofficials two opportunities to provide contingency plan testing documents for the\nsystems in our sample. We concluded that system owners did not maintain\ntesting documentation as required or perform testing of their systems\xe2\x80\x99\ncontingency plans.\n\nMarine Corps. On the basis of sample results, we projected that owners of all of\nthe Marine Corps\xe2\x80\x99 50 mission-critical information systems (100 percent) did not\ntest or could not provide evidence that they tested the systems\xe2\x80\x99 contingency plans.\nResponding to the question in DITPR about when they last tested their systems\xe2\x80\x99\ncontingency plans, owners of all but one sampled system reported the same date.\nThese same owners, however, provided only one document\xe2\x80\x94a COOP checklist\nfor the Marine Corps Logistics Command\xe2\x80\x94as evidence that they tested the\ncontingency plans for the 26 systems sampled. The checklist provided steps for\nsystem owners to follow when developing a COOP plan but did not document the\nactual completion of the contingency plan test for any of the Marine Corps\nsystems in our sample. Further, Marine Corps officials dated the COOP checklist\nafter our documentation request. Therefore, the COOP checklist did not support\nthe dates reported in DITPR for the 26 systems sampled.\n\nOther DoD Organizations. On the basis of our sample results, we projected that\nowners of 39 of 94 mission-critical ODO information systems (42 percent) did\nnot test or could not provide evidence that they tested their systems\xe2\x80\x99 contingency\nplans. For example, system owners provided documents indicating dates for\nplanned testing but did not actually provide testing results. Other system owners\nprovided test results for unidentified systems. Still other owners provided the\napproval memorandums granting their systems authority to operate. We did not\nconsider these documents adequate support for testing the contingency plan.\nFinally, some owners responded that their systems did not have contingency\nplans.\n\nIn light of the significant deficiencies we identified in the testing of system\ncontingency plans, the DoD CIO should issue supplemental guidance reinstating\nthe contingency plan testing requirements identified in the FY 2006 FISMA\nGuidance. The DoD CIO removed clarifying guidance from the FY 2007 FISMA\nGuidance on the types of tests that system owners should conduct. The DoD CIO\nalso omitted the requirement for system owners to document results of\ncontingency plan tests. Further, the Component CIO should implement\nmanagement controls to verify that system owners conduct recurring tests of\nsystem contingency plans.\n\n\n\n\n                                     8\n\x0cReporting on Contingency Planning in DITPR\n           According to the FY 2006 DITPR Guidance, DoD Components own and maintain\n           the information reported in DITPR and are responsible for its completeness and\n           accuracy. Based on sample results, we projected that owners of 410 of 436 DoD\n           mission-critical information systems (94 percent) did not correctly report in\n           DITPR whether they tested their systems\xe2\x80\x99 plans. Additionally, we projected that\n           owners of 37 of the 436 information systems (8 percent) did not correctly report\n           in DITPR whether they developed contingency plans for their systems.\n\n           Development of Contingency Plans. For all of the 240 mission-critical systems\n           in our sample, system owners reported in DITPR that their systems required\n           certification and accreditation. DITSCAP requires that system owners develop a\n           system contingency plan as part of the certification and accreditation process.\n\n           When entering information in DITPR, system owners are required to enter \xe2\x80\x9cyes\xe2\x80\x9d\n           or \xe2\x80\x9cno\xe2\x80\x9d in the data field that indicates whether they developed a contingency plan\n           for their system. For the 240 certified and accredited mission-critical systems\n           sampled, system owners should have developed a contingency plan for their\n           system and responded \xe2\x80\x9cyes.\xe2\x80\x9d We identified, however, that owners did not always\n           respond \xe2\x80\x9cyes\xe2\x80\x9d in DITPR. On the basis of sample results, we projected that\n           owners of 37 of 436 mission-critical systems (8 percent) belonging to the Army,\n           Navy, Business Transformation Agency, Defense Information Systems Agency,\n           and Defense Threat Reduction Agency reported \xe2\x80\x9cno,\xe2\x80\x9d that they did not develop a\n           plan, or left the data field blank. Navy system owners also answered \xe2\x80\x9cn/a.\xe2\x80\x9d\n\n           Testing of Contingency Plans. On the basis of sample results, we projected that\n           owners of 410 of 436 DoD mission-critical information systems (94 percent)\n           could not support the contingency plan test date they reported in DITPR for their\n           system or did not report a test date in DITPR. When the system owners did\n           provide testing documents, the majority of the documents bore dates that did not\n           match the date the owner reported in DITPR. The FY 2006 FISMA Guidance\n           required that DoD Components make their first update in DITPR for FY 2007 by\n           December 1, 2006.7 The owners of several systems provided testing\n           documentation dated after the date reported in DITPR but before December 1,\n           2006. That documentation indicated that system owners did not properly update\n           the test date in DITPR.\n\n           DITPR information also indicates that some system owners had not tested their\n           systems\xe2\x80\x99 contingency plans for more than 5 years. Specifically, owners of Navy\n           and Air Force systems reported in DITPR that they last tested the systems\xe2\x80\x99\n           contingency plans in 2002. A Defense Logistics Agency system owner last\n           reported testing the system\xe2\x80\x99s contingency plan in 2003.\n\n           Other DITPR Data. During our review of contingency planning documents, we\n           identified other DITPR reporting problems. Specifically, we found that system\n           owners reported the same systems twice in DITPR, that the documentation\n\n7\n    The FY 2006 FISMA Guidance established December 1, 2006, as the deadline for entering first-quarter\n    FY 2007 updates in DITPR; we obtained our sample universe from DITPR on January 24, 2007.\n\n\n\n                                                     9\n\x0cowners provided did not match reporting for other DITPR data elements, and that\nsystem owners made unusual designations in DITPR.\n\n        Duplicate Reporting. In three cases, system owners from different\nComponents reported the same system under different DITPR identification\nnumbers. For example, system owners from the Army and the Navy reported the\nsame system using DITPR identification numbers 3612 and 5021, respectively.\nSystem owners from the Navy and the U.S. Transportation Command reported the\nsame system under DITPR identification numbers 4827 and 354, respectively.\nFinally, owners from the Army and U.S. Transportation Command reported the\nsame system using DITPR identification numbers 3037 and 1352, respectively.\n\n        Conflicting or Missing DITPR Data. We also found instances when the\ndocumentation that system owners provided did not match other DITPR data\nfields or was incomplete. For instance, the owners of Army systems designated\ntheir systems as mission critical; however, the owner stated that the systems were\nmission support systems. Other Army owners left the testing data field blank.\n\n        Conflicts Between Data Entries and Documentation. Two Navy\nsystem owners reported their systems as MAC I; however, the documentation\nidentified the system as MAC II. One of the two owners also reported in DITPR\nthat their system was mission critical whereas the documentation they provided\nshowed that the system was actually mission essential. Navy system owners also\nreported future dates in DITPR when answering the question about when they last\ntested the contingency plan. For example, we generated our audit sample on\nJanuary 24, 2007; the DITPR information collected on that date showed that\none Navy system owner reported having last tested the system\xe2\x80\x99s contingency plan\nin October 2007. Additionally, Navy system owners reported dates in DITPR to\nindicate when they last tested their systems\xe2\x80\x99 contingency plans, but also reported\nthat they did not develop contingency plans for their systems.\n\n       During the review, Air Force officials did not provide any testing\ndocumentation on systems in our sample. Therefore, we projected that no\nAir Force system owners prepared or tested their systems\xe2\x80\x99 contingency plans or\ndocumented test results.\n\nUnusual Designations. The FY 2006 FISMA Guidance states that system\nowners\xe2\x80\x99 designating their systems as mission critical and MAC III is unusual.\nThe Guidance recommends that system owners review the designation\ncombination closely before making such a designation in DITPR. The\ndesignation is unusual because a system owner is protecting a mission-critical\nsystem whose loss would stop warfighter operations with the minimum security\nrequired for any information system. System owners should protect their system\nat MAC III only when the consequences of the loss of its information can be\ntolerated or overcome without jeopardizing mission effectiveness or operational\nreadiness. Owners of 17 Army, 5 Navy, 8 Air Force, 4 Marine Corps, and 5 ODO\nmission-critical systems designated their systems as MAC III. We could not find\nin the documentation any reasons given by owners for designating their systems\nas mission critical and MAC III.\n\n\n\n\n                                    10\n\x0cPolicy and Guidance\n    DoD Contingency Planning Policy. ASD(NII)/CIO did not establish a\n    comprehensive policy for contingency planning. DoD contingency planning\n    policy is fragmented and does not provide system owners with comprehensive\n    policy for preparing contingency plans. DITSCAP requires system owners to\n    prepare contingency plans but does not tell them how. DoD Instruction 8500.2\n    requires that system owners test certain aspects of the plan but does not identify\n    the types of tests system owners must conduct or require that owners document\n    results. Further, the DITPR Data Dictionary, which explains in detail what\n    owners should report in each DITPR data field, is confusing. Specifically, the\n    January 31, 2007, version of the DITPR Data Dictionary states that the\n    \xe2\x80\x9ccontingency test date\xe2\x80\x9d refers to the date a system owner last tested the system\xe2\x80\x99s\n    contingency plan or COOP. In other words, the DITPR Data Dictionary uses the\n    terms \xe2\x80\x9ccontingency plan\xe2\x80\x9d and \xe2\x80\x9cCOOP\xe2\x80\x9d interchangeably. The terms, however,\n    have different meanings.\n\n    A contingency plan restores system operations, whereas a COOP restores mission\n    and organizational operations. Because DITPR is the DoD repository for system\n    information, we interpreted the DITPR Data Dictionary to require that\n    Components enter the date the system\xe2\x80\x99s contingency plan was last tested.\n    Because DITPR and the Data Dictionary use the terms interchangeably, we\n    believe confusion exists among system owners about the difference between a\n    contingency plan and a COOP. We base our conclusion on the documents owners\n    provided to demonstrate that they had developed a plan for their systems.\n    Specifically, numerous system owners provided the headquarters COOP in\n    response to our data request rather than the system\xe2\x80\x99s contingency plan.\n\n    Guidance for Components on Contingency Planning. The Army, Navy,\n    Air Force, U.S. Strategic Command, U.S. Transportation Command, Defense\n    Contract Management Agency, Defense Threat Reduction Agency, Missile\n    Defense Agency, and TRICARE Management Activity issued some form of\n    guidance on contingency planning in the absence of an overarching DoD policy\n    on contingency planning. The policy issued by the Army, Navy, Air Force, and\n    the TRICARE Management Activity referred to the National Institute on\n    Standards and Technology Special Publication 800-34, \xe2\x80\x9cContingency Planning\n    Guide for Information Technology Systems,\xe2\x80\x9d June 2002, and recommended its\n    use when preparing system contingency plans. Special Publication 800-34\n    identifies fundamental planning principles and practices to help personnel\n    develop and maintain effective information technology contingency plans.\n\n    Despite the fact that some DoD Components recommended use of Special\n    Publication 800-34, ASD(NII)/CIO has not formally mandated its use or\n    established a comprehensive DoD contingency planning policy in accordance\n    with DoD Directive 5144.1. ASD(NII)/CIO should either require that DoD\n    Components implement Special Publication 800-34 or issue a comprehensive\n    policy for contingency planning for DoD information systems. ASD(NII)/CIO\n    should also develop a training program for DoD Components on contingency\n    planning. The training program would ensure that system owners consistently\n    prepare and test contingency plans.\n\n\n                                        11\n\x0cDITPR Data Quality\n    DoD Component CIOs did not implement Component-level automated controls to\n    help ensure complete and accurate reporting in DITPR. The DoD Components\n    own the information systems reported in DITPR and are responsible to update and\n    maintain their information system data reported in DITPR. According to the\n    FY 2006 DITPR Guidance, the Components are responsible for the accuracy and\n    completeness of their system data in DITPR and must implement automated\n    controls that help ensure that system owners report complete, accurate, and up-to-\n    date information in DITPR. The FY 2006 DITPR Guidance also required that the\n    Component CIO certify in writing that automated controls were in place to help\n    ensure DITPR data quality.\n\n    Military Departments. Army and Navy officials stated in their DITPR CIO\n    Memorandums that they implemented automated controls. However, Army and\n    Navy officials acknowledged that the automated controls were actually reports\n    generated from their Service-level systems that officials manually reviewed to\n    identify blank data fields. According to the officials, the manual reviews can\n    determine only the completeness of their information, not its accuracy. Although\n    manual reviews may be considered a control measure, manually reviewing a\n    report to identify data anomalies is not an automated control. In September 2006,\n    Air Force officials stated that they, too, implemented an automated tool; however,\n    the tool was not in place at the time the Air Force CIO signed his DITPR CIO\n    Certification Memorandum. Air Force officials also stated that the automated\n    tool is now operational but that system owners are reluctant to use it.\n\n    Other Defense Organizations. Component CIOs for 7 of the 10 ODOs we\n    sampled indicated in their annual CIO DITPR Certification Memorandums that\n    they implemented automated controls. We found, however, that only the CIO\n    from the TRICARE Management Activity had implemented automated controls\n    as the remaining six CIOs did not implement the controls as certified in their\n    memorandum. For example, a Defense Contract Management Agency official\n    stated that the agency maintained a spreadsheet to track accreditation dates.\n    Tracking accreditation dates only identifies when a system owner must re-accredit\n    a system to operate and is not an example of an automated tool that would\n    improve the quality of DITPR information. In addition, a U.S. Strategic\n    Command official stated that he uses the Outlook calendar as a reminder to\n    generate a monthly FISMA report from DIPTR. The official stated that he\n    manually reviews the monthly report from DITPR to identify any inconsistencies.\n\n    ASD(NII)/CIO. ASD(NII)/CIO has taken steps to improve data quality of the\n    information in DITPR. In August 2007, ASD(NII)/CIO officials responsible for\n    managing DITPR included 16 built in checks, called data integrity rules,\n    identifying when information in a data field is not logical. For example, one data\n    integrity rule identifies when owners enter a future date in DITPR for when they\n    last tested their contingency plan. Another rule identifies when owners enter a\n    contingency plan test date but entered a \xe2\x80\x9cno\xe2\x80\x9d in the field asking whether they\n    developed a plan for the system.\n\n\n\n\n                                        12\n\x0c          DITPR officials can also identify when owners leave certain data fields blank;\n          however, officials stated that the challenge is to identify who is responsible for\n          correcting the anomalies identified by these metrics. On September 7, 2007,\n          ASD(NII)/CIO began requiring that Component CIOs complete a DoD\n          Component Data Traceability Document, which describes the internal processes\n          used by the Component to ensure that they inventoried all their information\n          systems and that the data supplied in DITPR are accurate and taken from\n          authoritative sources.8 The Components must also document whether they\n          independently validated their internal processes, the frequency of independent\n          validation, and the validation results and remedial actions taken. DITPR officials\n          plan to phase in the DoD Component Data Traceability Document requirement\n          over the next 2 years. The new document will replace the DITPR CIO\n          Certification Memorandums as long as Components update the traceability\n          document annually.\n\n          Although DITPR provides automated controls to identify blank and illogical data,\n          the DoD Components supply the information reported in DITPR and must\n          provide accurate and complete information. To help improve DITPR data quality,\n          ASD(NII)/CIO required in the FY 2006 DITPR Guidance that Component CIOs\n          implement automated controls and certify that the system information reported to\n          DoD in DITPR is complete and accurate. However, the DoD Components in our\n          sample often did not implement such controls and continue to supply incorrect\n          and inaccurate information in DITPR as identified in this audit report. Further,\n          the FY 2006 DITPR Guidance did not provide DoD Components with a definition\n          of an automated control or specify the types of automated controls that the\n          Components should implement.\n\n          In view of the contingency planning reporting problems identified in this report,\n          the DITPR Component CIO Memorandums currently provide no assurance as to\n          the completeness and accuracy of information in DITPR. The new DoD\n          Component Data Traceability Document will require Component CIOs to record\n          their DITPR information processes and may identify ways to improve the quality\n          of data in DITPR. Until the DoD Component Data Traceability Document is\n          fully implemented across DoD, Component CIOs should closely review their\n          DITPR CIO Certification Memorandums to ensure that the information is\n          accurate. The Component CIOs should closely review the basis of their\n          assertions on the accuracy and completeness of their information in DITPR and\n          interview information assurance professionals to validate such assertions. The\n          Component CIOs should also sanction system owners that continue to report\n          inaccurate and incomplete information in DITPR. Finally, ASD(NII)/CIO should\n          include caveats in reports drawn from DITPR stating that the information is not\n          accurate or complete and should not be relied on for management and budgetary\n          decisions.\n\n\n\n\n8\n    The DoD CIO updated the FY 2006 DITPR Guidance by issuing \xe2\x80\x9cDepartment of Defense (DoD)\n    Information Technology (IT) Portfolio Repository (DITPR) and DoD SECRET Internet Protocol Router\n    Network (SIPRNET) IT Registry Guidance for 2007-2008,\xe2\x80\x9d September 6, 2007.\n\n\n\n                                                  13\n\x0cManagement Controls\n    We projected that owners of 264 out of 436 DoD mission-critical information\n    systems (61 percent) did not develop or could not provide evidence of a\n    contingency plan for their system. The contingency plans that system owners\n    provided varied in content and in degree of completion: some were still in draft,\n    and most were not approved. Additionally, we projected that owners of 358 out\n    of 436 mission-critical information systems (82 percent) did not test or could not\n    provide evidence of testing. Our sample results are evidence that the Component\n    CIOs did not implement management controls to ensure that owners complied\n    with contingency planning requirements. The Component CIOs should verify\n    that system owners are developing viable contingency plans, that plans are\n    approved, and that plans are tested under realistic and current conditions.\n\n    In light of the significant security weaknesses identified in this audit report\xe2\x80\x94that\n    owners of a projected 61 percent of DoD mission-critical information systems did\n    not develop or could not provide evidence of a system\xe2\x80\x99s contingency plans and\n    that 82 percent did not test plans as required\xe2\x80\x94DoD Component CIOs should\n    prepare Component-level Plans of Action and Milestones. The FY 2006 FISMA\n    Guidance requires that Component CIOs and system owners develop, implement,\n    and manage Plans of Action and Milestones for programs and systems they\n    operate and control. A Plan of Action and Milestones is a management tool that\n    documents system security weaknesses that owners must remediate and identifies\n    the actions and milestones necessary for mitigating security weaknesses. According\n    to the FY 2006 FISMA Guidance, a system owner should also prepare Plans of\n    Action and Milestones when information technology security weaknesses are\n    identified during a review. System owners should prepare a Plan of Action and\n    Milestones to remediate the contingency planning weaknesses identified in\n    Appendix B.\n\n\nConclusions\n    DoD mission-critical systems may not be able to sustain warfighter operations\n    during a disruptive or catastrophic event without the development and testing of\n    system contingency plans. The permanent loss of a mission-critical system would\n    cause the stoppage of warfighter operations. Until ASD(NII)/DoD CIO issues a\n    comprehensive DoD contingency planning policy, ASD(NII)/CIO should\n    mandate that the DoD Components follow Special Publication 800-34 when\n    developing system contingency plans. The DoD Component CIOs should\n    implement management controls to verify that system owners reporting in\n    DITPR, particularly on mission-critical systems, are developing system\n    contingency plans. Similarly, the Component CIOs should implement controls to\n    ensure that system owners are conducting recurring tests of the systems plans.\n\n    DoD provided erroneous information to Congress and the Office of Management\n    and Budget on whether DoD had procedures in place and periodically tested the\n    procedures necessary to recover the systems from an unforeseen event. DITPR is\n    the only means for DoD to report the security status of its information technology\n\n\n                                         14\n\x0c    systems to the Office of Management and Budget and Congress and is being used\n    to compile reports for FISMA, as well as for other congressional reporting\n    requirements. The inaccurate and incomplete information in DITPR continues to\n    diminish the usefulness of the database for management oversight by DoD, the\n    Office of Management and Budget, and Congress. Unless DoD implements\n    effective internal quality controls over Component-supplied information in\n    DITPR, DoD reporting on the security status of its information systems continues\n    to be flawed and should not be relied on.\n\n\nManagement Comments on the Finding, Unsolicited\n Comments on the Finding and Recommendations, and\n Audit Response\n    The Air Force, U.S. Transportation Command, and the Defense Contract\n    Management Agency provided comments on the finding section of the report.\n    Although not required to comment, the Marine Corps also commented on the\n    finding and the Defense Threat Reduction Agency commented on\n    Recommendation 1. Summaries of management comments on the finding,\n    unsolicited comments on the finding and recommendations, and our audit\n    response are in Appendix C.\n\n\nRecommendations, Management Comments, and\n  Audit Response\n    1. We recommend that the Assistant Secretary of Defense for Network and\n    Information Integration/DoD Chief Information Officer:\n\n           a. Require DoD Components to use the National Institute of\n    Standards and Technology Special Publication 800-34, \xe2\x80\x9cContingency\n    Planning Guide for Information Technology Systems,\xe2\x80\x9d June 2002, when\n    developing and testing DoD contingency plans, or issue a comprehensive DoD\n    contingency planning policy.\n\n            Management Comments. The Deputy Assistant Secretary of Defense for\n    Information and Identity Assurance, responding for the DoD CIO, concurred in\n    principle, stating that the DoD CIO will recommend that Special\n    Publication 800-34 be used as a guide when preparing system contingency plans.\n\n           Audit Response. The Deputy Assistant Secretary of Defense for\n    Information and Identity Assurance comments were responsive, and no further\n    comments are required.\n\n             b. Inform the Office of Management and Budget and Congress that\n    DoD does not have internal controls over the accuracy of data on the security\n    of its information technology systems, and include a caveat to that effect in\n    all reports based on data drawn from the DoD Information Technology\n\n\n                                       15\n\x0cPortfolio Repository until demonstrably effective internal controls have been\nin place for at least 1 full year.\n\n        Management Comments. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance, responding for the DoD CIO, concurred in\nprinciple, stating that future reports generated using DIPTR as the principal\nsource will include a caveat indicating that some DITPR data should be used with\ncaution.\n\n        Audit Response. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance comments were nonresponsive. The Deputy\nAssistant Secretary of Defense for Information and Identity Assurance did not\nindicate whether ASD(NII)/CIO would inform the Office of Management and\nBudget and Congress that DoD does not have internal controls over the accuracy\nof data on the security of its information technology systems. Additionally, the\nDeputy\xe2\x80\x99s response to include a \xe2\x80\x9ccaution\xe2\x80\x9d on DITPR data reports is ambiguous.\nTherefore, we request that ASD(NII)/CIO inform the Office of Management and\nBudget and Congress that DoD does not have internal controls over the accuracy\nof data on the security of its information technology systems. We also request\nthat ASD(NII)/CIO provide additional comments on the final report identifying\nthe specific language that will be used in reports generated from DITPR to alert\nusers that the information in the report is not reliable.\n\n        c. Immediately issue a supplement to the DoD Chief Information\nOfficer Memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Federal Information\nSecurity Management Act (FISMA) for Fiscal Year 2007 (FY07),\xe2\x80\x9d May 21,\n2007, and all continuations of the guidance, that contains the information on\ntesting contingency plans that was included in the supplemental section of\nthe DoD Chief Information Officer Memorandum, \xe2\x80\x9cDepartment of Defense\n(DoD) Federal Information Security Management Act (FISMA) Guidance\nfor Fiscal Year 2006 (FY 06),\xe2\x80\x9d April 4, 2006.\n\n        Management Comments. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance, responding for the DoD CIO, partially\nconcurred, stating that since the FY 2007 FISMA reporting is complete, a\nsupplement to that guidance would not be useful. The Deputy for Information\nand Identity Assurance agreed, however, to include additional guidance on\ncontingency planning and testing in the FY 2008 FISMA Guidance, which will be\nissued in the first quarter of 2008.\n\n       Audit Response. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance comments were responsive, and no further\ncomments are required.\n\n       d. Immediately issue a supplement to the DoD Chief Information\nOfficer Memorandum, \xe2\x80\x9cDepartment of Defense (DoD) Information\nTechnology (IT) Portfolio Repository (DITPR) and DoD SECRET Internet\nProtocol Router Network (SIPRNET) IT Registry Guidance for 2007-2008,\xe2\x80\x9d\nSeptember 6, 2007, and all continuations of the guidance, that:\n\n\n\n\n                                   16\n\x0c               (1) Defines an automated control and specifies the types of\ndata integrity rules DoD Components must implement to ensure they enter\ncomplete, accurate, and authoritative data in the DoD Information\nTechnology Portfolio Repository.\n\n               (2) Clarifies the difference between a contingency plan and a\ncontinuity of operations plan.\n\n             (3) Removes references to continuity of operations plans in the\n\xe2\x80\x9ccontingency plan\xe2\x80\x9d and \xe2\x80\x9ccontingency plan last exercised\xe2\x80\x9d data fields in the\nDoD Information Technology Portfolio Repository and the DoD Information\nTechnology Portfolio Repository Data Dictionary.\n\n         Management Comments. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance, responding for the DoD CIO, concurred in\nprinciple, stating that a software release in October 2007 included enhancements\nto DITPR data quality. The Deputy for Information and Identity Assurance stated\nthat additional changes to implement automated application controls will be\nintroduced in subsequent releases. The Deputy for Information and Identity\nAssurance also stated that the DoD CIO will supplement current DITPR guidance\nto clarify differences between contingency planning and continuity of operations\nplanning.\n\n        Audit Response. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance comments were partially responsive. We\nrequest that ASD(NII)/CIO provide comments on the final report identifying the\nspecific application controls that will be introduced into DITPR and the dates by\nwhich each control will be implemented.\n\n      e. Implement a training program in contingency planning for DoD\nComponent officials who develop, test, and approve contingency plans for\ninformation systems.\n\n        Management Comments. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance, responding for the DoD CIO, concurred,\nstating that DoD will add guidance on DoD contingency planning to the\ninformation technology information assurance training program managed and\noperated by the Defense Information Systems Agency.\n\n       Audit Response. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance comments were responsive, and no further\ncomments are required.\n\n2. We recommend that the Assistant Secretary of Defense for Network and\nInformation Integration/DoD Chief Information Officer; the Director,\nBusiness Transformation Agency; and the Chief Information Officers for the\nDepartment of the Army, Department of the Navy, Department of the\nAir Force, the U.S. Strategic Command, the U.S. Transportation Command,\nthe Defense Contract Management Agency, the Defense Information Systems\nAgency, the Defense Logistics Agency, the Defense Threat Reduction Agency,\nthe Missile Defense Agency, and the TRICARE Management Activity:\n\n\n                                    17\n\x0c       a. Require that system owners develop contingency plans in\naccordance with DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997,\nand the National Institute of Standards and Technology Special\nPublication 800-34, \xe2\x80\x9cContingency Planning Guide for Information\nTechnology Systems,\xe2\x80\x9d June 2002, until DoD issues formal contingency\nplanning policy.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO,\nnonconcurred, stated that DoD is using the interim DoD Information Assurance\nCertification and Accreditation Process guidance instead of DoD\nInstruction 5200.40. However, the Deputy for Information and Identity\nAssurance stated that additional guidance will be provided recommending that\nSpecial Publication 800-34 be used as a guide when preparing contingency plans.\n\n        Audit Response. The Deputy Assistant Secretary of Defense for\nInformation and Identity Assurance comments were partially responsive.\nAlthough ASD(NII)/CIO formally issued DoD Instruction 8510.01, \xe2\x80\x9cDoD\nInformation Assurance Certification and Accreditation Process (DIACAP),\xe2\x80\x9d on\nNovember 28, 2007, the Instruction does not require that DoD Components\nimplement information assurance policies and procedures issued by the National\nInstitute of Standards and Technology as required by FISMA. ASD(NII)/CIO\nagreed in comments on this report to recommend that DoD Components use the\nNational Institute of Standards and Technology Special Publication 800-34 as a\nguide when preparing system contingency plans, but did not indicate the planned\ndate for issuing the supplemental guidance. Therefore, we request that\nASD(NII)/CIO provide comments on the final report identifying a completion\ndate for issuing the guidance requiring DoD Components to use Special\nPublication 800-34 when preparing system contingency plans.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Army published Department of the Army Pamphlet 25-1-2,\n\xe2\x80\x9cInformation Technology Contingency Planning,\xe2\x80\x9d November 16, 2006. The\nActing CIO stated that the Pamphlet implements DoD and Federal policy and was\nbased on Special Publication 800-34.\n\n     Audit Response. The Army comments were responsive, and no further\ncomments are required.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred, stating that the Navy CIO will issue\nspecific guidance on this recommendation after receipt of the final audit report.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments on the final report identifying a\ncompletion date for issuing guidance requiring that system owners develop plans\nin accordance with Special Publication 800-34.\n\n       Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency partially concurred, stating that\n\n\n                                    18\n\x0cDoD CIO Memorandum, \xe2\x80\x9cInterim Department of Defense (DoD) Information\nAssurance Certification and Accreditation Process Guidance,\xe2\x80\x9d July 6, 2006,\ninstructed all DoD personnel to disregard DoD Instruction 5200.40 and comply\nwith the requirements of draft DoD Instruction 8510.bb, \xe2\x80\x9cThe DoD Information\nAssurance Certification and Accreditation Process (DIACAP).\xe2\x80\x9d\n\n        Audit Response. Although the Defense Contract Management Agency\npartially concurred, we considered the comments responsive, and no further\ncomments are required.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that the agency uses the annual DoD FISMA\nGuidance, which requires systems to have a contingency plan that is developed\nand tested in accordance with DoD Instruction 8500.2.\n\n     Audit Response. The CIO, Defense Information Systems Agency\ncomments were responsive, and no further comments are required.\n\n        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency partially concurred, stating that DITSCAP does not\ndescribe how to write or test a contingency plan, nor does its replacement, the\nDoD Information Assurance Certification and Accreditation Process. The CIO\nstated that while there is no current DoD policy that describes how to develop and\ntest a contingency plan, Special Publication 800-34 provides a detailed\ndescription for writing a plan, explains how contingency planning fits into the\nsystem development life cycle, and provides a template. The CIO stated that\ncontingency plans should be developed in accordance to Special\nPublication 800-34 until DoD issues a formal contingency planning policy.\n\n        Audit Response. The CIO, Defense Threat Reduction Agency comments\nwere partially responsive. While the CIO stated that contingency plans should be\ndeveloped in accordance with Special Publication 800-34, he did not state\nwhether the Defense Threat Reduction Agency would issue supplemental\nguidance requiring that system owners use Special Publication 800-34. We\nrequest that the Defense Threat Reduction Agency provide comments on the final\nreport indicating whether the agency plans to issue supplemental guidance\nrequiring that owners implement Special Publication 800-34 and the completion\ndate for issuing the guidance.\n\n        Marine Corps Management Comments. Although not required to\nrespond, the Director, Command, Control, Communications, and Computers\nconcurred with the recommendation, stating that the Marine Corps is developing\ncontingency plan templates based on Special Publication 800-34. The Director\nstated that, as part of the documents developed during DITSCAP, a system\ncontingency plan is one of the required documents.\n\n       b. Require that the Designated Approving Authority, the Certifying\nAuthority, the program manager, and the user representative approve\ncontingency plans for information systems.\n\n\n\n\n                                    19\n\x0c        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, concurred\nin principle, stating that current guidance requires that the contingency plan be\nincluded in the certification package. The Deputy for Information and Identity\nAssurance stated that the Designated Approving Authority reviews the\ncertification package when determining the system\xe2\x80\x99s authority to operate.\n\n       Audit Response. ASD(NII)/CIO comments were partially responsive.\nWhile we agree that the Designated Approving Authority reviews the certification\npackage when determining the system\xe2\x80\x99s authority to operate, the Deputy Assistant\nSecretary of Defense for Information and Identity Assurance did not comment on\nwhether he would require the Designated Approving Authority, the Certifying\nAuthority, the program manager, and the user representative to approve\ncontingency plans for information systems. Therefore, we request that\nASD(NII)/CIO provide comments on the final report clarifying the response to\nRecommendation 2.b.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Army will comply with ASD(NII) contingency planning policy\nand procedures when promulgated. The Acting CIO stated that, as an interim\nmeasure, the Army will supplement Department of the Army Pamphlet 25-1-2\nwith best business practices on contingency planning procedures by\nNovember 30, 2007. The best business practices will have the Designated\nApproving Authority, the Certifying Authority, the program manager, and the\nuser representative review, approve, and sign the contingency plan for any system\nin the acquisition process. The Certifying Authority, and the Designated\nApproving Authority will review and approve contingency plans for the\ninstallation network. The Acting CIO further stated that system owners are\nrequired by July 1, 2008, to review, update, and provide the Office of Information\nAssurance and Compliance a signed contingency plan for each system under their\ncontrol.\n\n     Audit Response. The Army comments were responsive, and no further\ncomments are required.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred in principle, stating that the Navy CIO\nwill issue specific guidance on this subject after receipt of the final audit report.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments to the final report identifying a\ncompletion date for issuing supplemental guidance on the approval of\ncontingency plans for Navy information systems.\n\n       Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency partially concurred, stating that\nthe approval authority for contingency plans that involve resources used by the\nDefense Information Systems Agency should reside with that agency. However,\nthe Acting Director stated that a robust dialog must exist between the Defense\nInformation Systems Agency and the Designated Approving Authority\nresponsible for the system\xe2\x80\x99s certification and accreditation.\n\n\n                                      20\n\x0c        Audit Response. The Defense Contract Management Agency comments\nwere partially responsive. A system whose contingency plan has been developed\nwith resources from another agency should be jointly approved by the Defense\nContract Management Agency and the Defense Information Systems Agency.\nWe request that the Defense Contract Management Agency provide comments on\nthe final report indicating how the agency will ensure that system contingency\nplans jointly funded with the Defense Information Systems Agency are approved.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that the agency\xe2\x80\x99s certification and\naccreditation process requires that the Designated Approving Authority,\nCertifying Authority, and program manager approve the System Security\nAuthorization Agreement in accordance with DITSCAP. The CIO stated that the\nDefense Information System Agency plans to release an implementation manual\nin July 2008 that requires the four approving authorities to review the contingency\nplan before the System Security Authorization Agreement is approved.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n       Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency partially concurred, stating that current practice at the\nDefense Threat Reduction Agency requires that the Designated Approving\nAuthority, Certifying Authority, program manager, and user representative\napprove system contingency plans. The CIO stated that, because it is difficult to\nfind someone without a vested interest in system performance, the user\nrepresentative functions defined in the DoD Information Assurance Certification\nProcess should be optional.\n\n        Audit Response. The Defense Threat Reduction Agency comments were\nnonresponsive. Although the CIO stated that current practice at the Defense\nThreat Reduction Agency requires the Designated Approving Authority,\nCertifying Authority, program manager, and user representative to approve\nsystem contingency plans, those officials are not approving contingency plans as\nrequired. We request that the Defense Threat Reduction Agency provide\ncomments on the final report indicating how the agency will ensure that its\ninformation system contingency plans are properly approved.\n\n        Marine Corps Comments. Although not required to respond, the\nDirector, Command, Control, Communications, and Computers concurred with\nthe recommendation, stating that the Designated Approving Authority is\nresponsible for the final accreditation and acceptance of information assurance\nrequirements for Marine Corps operational information systems. As part of the\ncertification and accreditation process, the Certifying Authority or his\nrepresentative review the system\xe2\x80\x99s documentation and provides an accreditation\nrecommendation to the Designated Approving Authority for approval.\n\n       c. Require that system owners conduct recurring tests of contingency\nplans under realistic conditions and in accordance with DoD\nInstruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\nFebruary 6, 2003, and DoD Chief Information Officer Memorandum,\n\n\n                                    21\n\x0c\xe2\x80\x9cDepartment of Defense (DoD) Federal Information Security Management\nAct (FISMA) Guidance for Fiscal Year 2006 (FY 06),\xe2\x80\x9d April 4, 2006, and\ndocument results.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, concurred\nin principle, stating that DoD Instruction 8500.2 already requires that system\nowners test contingency plans. The Deputy for Information and Identity\nAssurance stated that amplifying guidance will be included in the FY 2008\nFISMA reporting guidance on contingency plan testing.\n\n        Audit Response. ASD(NII)/CIO comments were responsive, and no\nfurther comments are required.\n\n         Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the existing guidance requires that system owners conduct recurring\ntests of contingency plans under a variety of conditions. The Acting CIO stated\nthat the guidance also provides procedures for testing the security controls\nidentified in DoD Instruction 8500.2.\n\n         Audit Response. The Army comments were partially responsive. While\nwe recognize that the Army issued guidance requiring that owners conduct\nrecurring tests of contingency plans under a variety of conditions, the Army CIO\ndoes not have controls in place to ensure that system owners comply with the\npolicy. We request that the Army provide comments on the final report indicating\nhow the Army will ensure that system owners are testing contingency plans under\nrealistic conditions and in accordance with DoD Instruction 8500.2.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred, stating that the Navy CIO will issue\nspecific guidance on this subject after receipt of the final audit report.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments on the final report indicating a\ncompletion date for issuing specific guidance on Recommendation 2.c.\n\n       Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency concurred, stating that tests of\nthe contingency plan for the Agency\xe2\x80\x99s system were conducted annually. The\nActing Director stated that an after-action report is published after each test.\n\n        Audit Response. The Defense Contract Management Agency comments\nwere nonresponsive. The Defense Contract Management Agency system we\nreviewed did not develop or provide evidence of the system\xe2\x80\x99s contingency plan.\nThe system owner could not conduct a test of a contingency plan that did not\nexist. The system owner did provide an after-action report for a test conducted of\nthe continuity of operations plan for the Systems Management Center Ogden.\nHowever, we determined that the test was not of the system\xe2\x80\x99s contingency plan\nbut a test of the Center\xe2\x80\x99s continuity of operations plan. Therefore, we request that\nthe Defense Contract Management Agency provide comments on the final report\n\n\n\n                                     22\n\x0cindicating whether the owner of the system we reviewed has since developed and\nthen tested the system\xe2\x80\x99s contingency plan.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that an implementation manual scheduled for\nrelease in July 2008 will include procedures to enforce compliance with\ncontingency plan requirements. The CIO stated that current procedures, taken\nfrom the annual DoD FISMA guidance, are provided to information assurance\nand program managers through a DoD online portal.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency nonconcurred, stating that resource constraints prevent\nrecurring tests of contingency plans under realistic conditions. The CIO stated\nthat desktop testing is economical and, if done properly, can be thorough enough\nto identify security weaknesses.\n\n        Audit Response. The CIO, Defense Threat Reduction Agency comments\nwere nonresponsive. While we agree that desktop testing is economical and can\nidentify security weaknesses, desktop testing does not provide the stringency to\nthoroughly identify security weaknesses of a contingency plan. For instance,\ntesting backup and alternate site procedures to determine whether systems and the\ninformation they contain are available during a disruptive or catastrophic event\nwould be best determined during a functional exercise. We request that Defense\nThreat Reduction Agency reconsider its position and allocate the resources\nneeded to periodically conduct functional tests of its information system\ncontingency plans.\n\n        Marine Corps Comments. Although not required to respond, the\nDirector, Command, Control, Communications, and Computers concurred with\nthe recommendation, stating that the Marine Corps implemented a quarterly\nreporting schedule requiring that Marine Corps information systems be tested in\naccordance with DoD Instruction 8500.2. The Director stated that the results are\ndocumented and used to update Marine Corps DITPR data as required by FISMA.\n\n       d. Implement management controls to verify that system owners:\n\n               (1) Develop contingency plans in accordance with DoD\nInstruction 5200.40, \xe2\x80\x9cDoD Information Technology Certification and\nAccreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, and the National\nInstitute of Standards and Technology Special Publication 800-34,\n\xe2\x80\x9cContingency Planning Guide for Information Technology Systems,\xe2\x80\x9d June\n2002.\n\n             (2) Conduct recurring tests of system contingency plans in\naccordance with DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\nImplementation,\xe2\x80\x9d February 6, 2003, and DoD Chief Information Officer\nMemorandum, \xe2\x80\x9cDepartment of Defense (DoD) Federal Information Security\n\n\n\n                                   23\n\x0cManagement Act (FISMA) Guidance for Fiscal Year 2006 (FY 06),\xe2\x80\x9d April 4,\n2006.\n\n               (3) Populate the \xe2\x80\x9ccontingency plan\xe2\x80\x9d and \xe2\x80\x9ccontingency plan\nlast tested\xe2\x80\x9d data fields in the DoD Information Technology Portfolio\nRepository with complete and accurate system information.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, partially\nconcurred with Recommendation 2.d.1., stating that DoD is using the interim\nDoD Information Assurance Certification and Accreditation Process, not DoD\nInstruction 5200.40. The Deputy for Information and Identity Assurance stated\nthat additional guidance will be issued recommending that Special\nPublication 800-34 be used as a guide when preparing system contingency plans.\n\n       The Deputy for Information and Identity Assurance concurred with\nRecommendations 2.d.2. and 2.d.3., stating that plans are underway to conduct\nassessments to verify, among other things, that contingency plans are tested in\naccordance with current guidance and that Components maintain auditable\ndocuments that support information reported in DITPR.\n\n       Audit Response. ASD(NII)/CIO comments were partially responsive to\nRecommendation 2.d.1. and responsive to Recommendations 2.d.2. and 2.d.3.\nWe request that ASD(NII)/CIO provide comments on the final report for\nRecommendation 2.d.1. that identify a completion date for issuing supplemental\nguidance requiring DoD Components to use Special Publication 800-34 when\ndeveloping system contingency plans.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Army Portfolio Management System is the official and\nauthoritative source for information on Army information technology systems\nentered into DITPR. The Acting CIO stated that system owners enter their\ninformation into the Army Portfolio Management System, which is reviewed\nweekly by the Office of Information Assurance and Compliance to verify that\nsystem owners are developing contingency plans as required. The Acting CIO\nstated that owners with outdated plans are required to update the Army Portfolio\nManagement System and provide a Plan of Action and Milestones indicating\nwhen they will become compliant. The Acting CIO stated that, currently, there\nare no independent methods to verify the accuracy of the data that owners enter\ninto the Army Portfolio Management System.\n\n        The Acting CIO stated that the Army will begin requiring system owners\nto provide the Office of Information Assurance and Compliance with a copy of\ntheir authenticated contingency plans. The Acting CIO also stated that the Army\nplans to implement a best business practice by requiring that owners of\nmission-critical systems submit a digitally signed message to the Office of\nInformation Assurance and Compliance certifying that they have completed\nannual testing of the system\xe2\x80\x99s contingency plan.\n\n     Audit Response. The Army comments were responsive, and no further\ncomments are required.\n\n\n                                    24\n\x0c       Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred, stating that the Navy CIO is already\nimplementing Recommendation 2.d.3.\n\n       Audit Response. The Navy comments were partially responsive. The\nDeputy CIO did not respond to Recommendations 2.d.1 or 2.d.2. We request that\nthe Navy respond to the final report for Recommendations 2.d.1 and 2.d.2.\n\n       Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency concurred, stating that the DoD\nCIO instructed DoD personnel to disregard DoD Instruction 5200.40 and comply\nwith draft DoD Instruction 8510.bb, the DoD Information Assurance Certification\nand Accreditation Process.\n\n        Audit Response. The Defense Contract Management Agency comments\nwere nonresponsive. The Acting Director did not state what actions he would\ntake to implement Recommendations 2.d.1 through 2.d.3. We request that the\nDefense Contract Management Agency provide comments on the final report\nspecifying actions taken for Recommendations 2.d.1. through 2.d.3.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that, in February 2007, the agency began\nrequiring directorates to submit monthly reports. The CIO stated that the\ndirectorates are notified monthly when a system is not compliant. The CIO also\nstated that the agency has developed an automated tool that provides oversight on\nthe information.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency partially concurred, stating that contingency plans\nshould be developed in accordance with the DoD Information Assurance\nCertification and Accreditation Process and tested annually.\n\n       Audit Response. The Defense Threat Reduction Agency comments were\nnonresponsive. The CIO did not state what actions he would take to implement\nRecommendations 2.d.1. through 2.d.3. Therefore, we request that the Defense\nThreat Reduction Agency provide additional comments on the final report\nspecifying actions taken for Recommendations 2.d.1. through 2.d.3.\n\n        e. Impose sanctions on system owners who do not prepare and test\ntheir systems\xe2\x80\x99 contingency plans or enter complete, accurate, and\nauthoritative information in the DoD Information Technology Portfolio\nRepository.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO concurred in\nprinciple, stating that the DoD CIO will work with the DoD Components to\nidentify ways to deal with system owners who do not prepare and test their\n\n\n\n                                   25\n\x0csystem\xe2\x80\x99s contingency plan or enter complete, accurate, and authoritative\ninformation in DITPR.\n\n       Audit Response. ASD(NII)/CIO comments were partially responsive.\nThe Deputy Assistant Secretary of Defense for Information and Identity\nAssurance did not provide a completion date for imposing sanctions on system\nowners who do not prepare and test their system\xe2\x80\x99s contingency plans or enter\ncomplete, accurate, and authoritative information in DITPR. We request that\nASD(NII)/CIO provide comments on the final report indicating a completion date\nfor imposing sanctions needed for system owners that do not comply with\nRecommendation 2.e.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Army CIO will impose appropriate sanctions on owners who do\nnot comply with contingency planning policies and procedures. The Acting CIO\nstated that the sanction could include withholding funds, withdrawal of the\nauthority to operate, or denial of network connectivity.\n\n     Audit Response. The Army comments were responsive, and no further\ncomments are required.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred in principle, stating that the Navy CIO\nwill issue specific guidance on this subject after receipt of the final audit report.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments on the final report indicating a\ncompletion date for issuing specific guidance on Recommendation 2.e.\n\n        Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency partially concurred, stating that\nagency officials do not believe a mandatory requirement to impose sanctions is\nneeded in all instances. The Acting Director stated that sanctions should not be\nimposed when an owner inadvertently enters incorrect data. The Acting Director\nstated that, in such instances, nondisciplinary action is appropriate.\n\n        Audit Response. The Defense Contract Management Agency comments\nwere partially responsive. The Acting Director did not state what sanctions he\nwould impose on system owners that routinely enter incorrect data in DITPR.\nAdditionally, the Acting Director did not specify an alternate course of action for\nthose system owners who inadvertently enter incorrect data into DITPR. We\nrequest that the Defense Contract Management Agency provide comments on the\nfinal report on planned sanctions for system owners who enter incorrect data into\nDITPR.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that the Senior Information Assurance Officer\nhas the authority to issue a notice to deny a system\xe2\x80\x99s authority to operate that\npresents a threat to network security. The CIO stated that this process will be\nused to enforce compliance of system contingency plan testing.\n\n\n\n                                      26\n\x0c        Audit Response. The Defense Information Systems Agency comments\nwere partially responsive. The CIO did not state what sanctions he planned to\nimpose on system owners who entered incorrect information in DITPR. We\nrequest that the Defense Information Systems Agency provide comments on the\nfinal report specifying planned sanctions for system owners who enter incorrect\ndata into DITPR.\n\n        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency concurred in principle, stating that it is necessary to\ndetermine meaningful sanctions that will not compromise operational\neffectiveness or mission achievement.\n\n        Audit Response. The Defense Threat Reduction Agency comments were\npartially responsive. The CIO did not state what he planned to impose on system\nowners who entered incorrect information in DITPR. We request that the\nDefense Threat Reduction Agency provide comments on the final report\nspecifying planned sanctions for system owners who enter incorrect data into\nDITPR.\n\n        Marine Corps Comments. Although not required to respond, the\nDirector, Command, Control, Communications, and Computers concurred with\nthe recommendation, stating that the systems without complete security\ndocumentation, including contingency plans, will not receive accreditation. The\nDirector stated that those systems will be reported to the Marine Corps CIO for\nfurther action.\n\n        f. Implement automated controls, if applicable, on the Component\nsystem used to populate the DoD Information Technology Portfolio\nRepository to prevent blank data fields, duplicate reporting of systems and\nsystem information, and reporting of different information for similar data\nfields.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, concurred\nin principle, stating that the DoD CIO continues to coordinate with the\nComponents using automated systems to populate DITPR. The Deputy for\nInformation and Identify Assurance stated that automated systems ensure that\nappropriate automated application controls are in place to ensure a high degree of\nDITPR data quality.\n\n        Audit Response. ASD(NII)/CIO comments were partially responsive.\nThe Deputy Assistant Secretary of Defense for Information and Identity\nAssurance did not explain what coordination efforts are taking place with the\nComponents to implement automated controls on the Component systems used to\npopulate DITPR. We request that ASD(NII)/CIO provide comments on the final\nreport on the coordination efforts underway to implement Recommendation 2.f.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Army Portfolio Management Solution system, used to populate\nDITPR, is operated under strict configuration management. To implement the\nrecommendation, the Acting CIO stated that Army officials are developing\n\n\n                                    27\n\x0cengineering change proposals for the system\xe2\x80\x99s configuration control board. The\nActing CIO stated that the proposed changes include making the \xe2\x80\x9ccontingency\nplan\xe2\x80\x9d field mandatory, and requiring it to be populated with an appropriate\nresponse. The Acting CIO stated that blank responses will not be considered\nappropriate, and that cross checks will be performed to prevent duplicate\nreporting. The Acting CIO stated that the engineering change proposals will be\nsubmitted to the control board by January 10, 2008, with implementation planned\nby July 1, 2008.\n\n     Audit Response. The Army comments were responsive, and no further\ncomments are required.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred, stating that the Navy CIO and the Office\nof the Secretary of Defense are studying the feasibility of automated controls.\nThe Deputy CIO stated that, currently, the Navy CIO is conducting twice-monthly\nmanual reviews.\n\n     Audit Response. The Navy comments were responsive, and no further\ncomments are required.\n\n       Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency partially concurred, stating that\nthe agency does not use an automated system to populate DITPR. The Acting\nDirector stated that an information assurance professional manually updates\nDITPR and the agency\xe2\x80\x99s Deputy CIO reviews those updates.\n\n        Audit Response. The Defense Contract Management Agency comments\nwere partially responsive. While we acknowledge that the Defense Contract\nManagement Agency does not use an automated system to populate DITPR, we\nneed the agency to explain the controls it uses to ensure that system owners enter\ncorrect information into DITPR. Therefore, we request that the Defense Contract\nManagement Agency provide comments on the final report on Recommend-\nation 2.f.\n\n         Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that the agency is evaluating automated\ninformation assurance management tools for DoD-wide fielding. The CIO stated\nthat, in the interim, the Office of the CIO is using an automated DITPR\ncompliance tracking tool to ensure the data quality of FISMA-related fields.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency concurred in principle, stating that the agency does not\nuse a system to populate DITPR. The CIO stated that the agency plans to\nimplement automated controls using its certification and accreditation database to\nvalidate information downloaded from DITPR.\n\n\n\n\n                                    28\n\x0c        Audit Response. The Defense Threat Reduction Agency comments were\npartially responsive. We request that the Defense Threat Reduction Agency\nprovide comments on the final report indicating a completion date for\nimplementing automated controls. We also request that the Defense Threat\nReduction Agency provide the standard operating procedure for the automated\ncontrols used for its certification and accreditation database.\n\n        Marine Corps Comments. Although not required to respond, the\nDirector, Command, Control, Communications, and Computers concurred with\nthe recommendation, stating that the Marine Corps has implemented a\ncertification and accreditation support tool that interfaces with and reports to\nDITPR.\n\n       g. Prepare a Component-level Plan of Action and Milestones, within\n90 days of the issuance of the final report, noting that a significant number of\nthe Component\xe2\x80\x99s mission-critical systems have security weaknesses related to\ncontingency planning.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, concurred,\nstating that when facts in the DoD OIG audit report support the presence of\nweaknesses, the Components should develop and track a Component-level Plan of\nAction and Milestones to ensure the completion of remedial actions.\n\n        Audit Response. ASD(NII)/CIO comments were partially responsive. A\nPlan of Action and Milestone is required for any system with identified\nweaknesses, including weaknesses identified in a DoD OIG report. System\nowners should develop a Plan of Action and Milestones immediately after a\nweakness is identified, regardless of how it was identified. We request that the\nDeputy Assistant Secretary of Defense for Information and Identity Assurance\nprovide comments on the final report clarifying his response to\nRecommendation 2.g.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Army will develop and issue an Army-level Plan of Action and\nMilestones within 90 days of the issuance of the DoD OIG final report.\n\n       Audit Response. Although the Army comments were responsive, we\nrequest that the Army provide comments on the final report identifying a\ncompletion date for the development of the Army-level Plan of Action and\nMilestones.\n\n       Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred in principle, stating that the Navy CIO\nwill develop a Component-level Plan of Action and Milestones.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments on the final report indicating a\ncompletion date for Recommendation 2.g.\n\n\n\n\n                                    29\n\x0c        Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency partially concurred, stating that\nthe recommendation is not applicable because there are no existing security\nweaknesses related to contingency planning.\n\n        Audit Response. The Defense Contract Management Agency comments\nwere nonresponsive. We reviewed one Defense Contract Management Agency\ninformation system, and it did not meet the development or testing requirements\nfor a system contingency plan. We request that the Defense Contract\nManagement Agency explain in comments on the final report the rationale for\nstating that there are no existing security weaknesses related to contingency\nplanning when this audit report clearly indicates that there were.\n\n       Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that the Office of the CIO will prepare a Plan\nof Action and Milestones within 90 days of the issuance of the final report to\nensure that mission critical systems comply with contingency planning\nrequirements. The CIO also stated that the Office of the CIO will increase\noversight of documentation in its functional processes.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency concurred in principle, stating that the agency\nsubmitted a Component-level Plan of Action and Milestones in conjunction with\nits FY 2007 FISMA report submission. The CIO stated that the plan addressed\nsecurity weaknesses in contingency planning for its reported systems.\n\n        Audit Response. The Defense Threat Reduction Agency comments were\npartially responsive. Although we commend the Defense Threat Reduction\nAgency for developing a Component-level Plan of Action and Milestones, the\nagency should monitor the issues identified in the plan until they are resolved.\nAdditionally, the agency should report the results in its FY 2008 response to the\nFederal Information Security Management Act.\n\n        Marine Corps Comments. Although not required to respond, the\nDirector, Command, Control, Communications, and Computers concurred with\nthe recommendation, stating that the Marine Corps fielded five two-person system\nsecurity engineering teams to oversee operational information assurance\nimplementation and validation. The Director stated that the teams\xe2\x80\x99 charter\nincludes support to the information assurance officials for developing and\nreporting contingency after-action reporting and validating and remediating any\nsecurity weaknesses found.\n\n       h. Require that owners of systems identified in this report as having\nsecurity weaknesses in contingency planning develop a Plan of Action and\nMilestones within 90 days of the issuance of the final version of this report.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, concurred,\n\n\n                                   30\n\x0cstating that, when facts in the DoD OIG audit report support the presence of\nweaknesses, the Components should develop and track a Component-level Plan of\nAction and Milestones to ensure the completion of remedial actions.\n\n        Audit Response. ASD(NII)/CIO comments were partially responsive. A\nPlan of Action and Milestones is required for any system with identified\nweaknesses, including weaknesses identified in a DoD OIG report. System\nowners should develop a Plan of Action and Milestones immediately after a\nweakness is identified, regardless of how it was identified. We request that the\nArmy provide comments on the final report clarifying its response to\nRecommendation 2.h.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the CIO will require system owners identified in this report to develop\na Plan of Action and Milestones and submit it to the Office of Information\nAssurance and Compliance.\n\n        Audit Response. Although the Army comments were responsive, we\nrequest that the Army provide comments on the final report with a completion\ndate for the development of the Army-level Plan of Action and Milestones.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred in principle, stating that the Navy CIO\nwill issue specific guidance on this subject after receipt of the final audit report.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments on the final report indicating a\ncompletion date for Recommendation 2.h.\n\n        Defense Contract Management Agency Management Comments. The\nActing Director, Defense Contract Management Agency partially concurred,\nstating that the recommendation does not apply to the Agency. The Acting\nDirector stated that during a review, we identified a weakness with the Agency\xe2\x80\x99s\nsystem. The Acting Director stated that the system now has a compliant\ncontingency plan in place that will be tested annually.\n\n       Audit Response. The Defense Contract Management Agency comments\nwere partially responsive. We request that the Defense Contract Management\nAgency, in response to the final report, provide a copy of the compliant\ncontingency plan for the system we reviewed.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that he will require system owners to submit\na Plan of Action and Milestones within 90 days of the issuance of this final report\nto ensure that their systems are compliant with contingency planning\nrequirements.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n\n\n\n                                      31\n\x0c        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency concurred in principle, stating that the Agency initiated\naction to address security weaknesses with contingency planning using a\nsystem-level Plan of Action and Milestones.\n\n       Audit Response. The Defense Threat Reduction Agency comments were\nresponsive, and no further comments are required.\n\n        Marine Corps Comments. Although not required to respond, the\nDirector, Command, Control, Communications, and Computers concurred with\nthe recommendation, stating that the Marine Corps will comply with the\nrequirement in its annual FISMA message.\n\n       i. Review assertions made in the DoD Information Technology\nPortfolio Repository Chief Information Officer Memorandum, including\nwhether the Component implemented automated controls, and certify the\ncurrent state of security for the Components\xe2\x80\x99 information systems.\nInterview information assurance professionals to verify that the information\nin the DoD Information Technology Portfolio Repository Chief Information\nOfficer Memorandum is accurate.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, concurred\nin principle, stating that the DoD CIO considers the information in the\nmemorandums correct; however, an assessment of the facts stated in the\nmemorandum will be conducted.\n\n      Audit Response. ASD(NII)/CIO comments were partially responsive.\nWe request that ASD(NII)/CIO provide comments on the final report indicating a\ncompletion date for reviewing the assertions made in the Component\xe2\x80\x99s DITPR\nCIO memorandums.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Army is in the process of implementing and refining the\nautomated controls used to validate entries in the Army Portfolio Management\nSolution system. Army officials stated that the Army Portfolio Management\nSolution system interfaces with DITPR.\n\n        Audit Response. The Acting CIO, Department of the Army comments\nwere nonresponsive. The Acting CIO did not state whether he would review\nassertions made in the DITPR CIO Memorandum, including whether the\nComponent implemented automated controls, and certify the current state of\nsecurity for the Components\xe2\x80\x99 information systems. The Acting CIO also did not\nstate whether he would interview information assurance professionals to verify\nthat the information in the DITPR CIO Memorandum is accurate. Therefore, we\nrequest that the Army provide comments on the final report for Recommend-\nation 2.i.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred, stating that the Navy CIO and the Office\nof the Secretary of Defense are studying the feasibility of automated controls.\n\n\n                                   32\n\x0cThe Deputy CIO stated that the Navy CIO will issue specific guidance on\ninterviewing the information assurance professionals after receipt of the final\naudit report.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments on the final report indicating a\ncompletion date for Recommendation 2.i.\n\n        Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency concurred, stating that agency\nofficials completed a review of its information in DITPR and verified that it is\naccurate.\n\n       Audit Response. The Defense Contract Management Agency comments\nwere responsive, and no further comments are required.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that he is currently using an automated\nDITPR compliance-tracking tool to ensure the data quality of FISMA-related\nfields. The CIO stated that the agency plans to expand the tool to assist with\ntracking the compliance of non-FISMA DITPR fields.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n        Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency concurred in principle, stating that the recommendation\nis current practice at the agency.\n\n       Audit Response. The Defense Threat Reduction Agency comments were\nresponsive, and no further comments are required.\n\n        Marine Corps Comments. Although not required to respond, the\nDirector, Command, Control, Communications, and Computers concurred with\nthe recommendation, stating that the Marine Corps has implemented an\nautomated security documentation and tracking tool, which included contingency\nreporting as a functionality.\n\n       j. Review any system designated as mission critical and Mission\nAssurance Category III to identify the rationale for the designation. Require\nthat owners document the rationale in the System Security Authorization\nAgreement.\n\n        ASD(NII)/CIO Comments. The Deputy Assistant Secretary of Defense\nfor Information and Identity Assurance, responding for the DoD CIO, concurred\nin principle, stating that DoD Components should conduct the review and\ndocument results in accordance with current guidance. The Deputy for\nInformation and Identity Assurance stated that the Components should report\nresults in their FY 2008 FISMA report submissions.\n\n\n\n\n                                     33\n\x0c        Audit Response. ASD(NII)/CIO comments were responsive, and no\nfurther comments are required.\n\n        Army Comments. The Acting CIO, Department of the Army concurred,\nstating that the Office of Information Assurance and Compliance conducted a\nreview and identified systems designated as mission critical and MAC III. The\nActing CIO stated that the Office of Information Assurance and Compliance\nidentified 14 systems with both designations and is contacting system owners and\nrequiring that they justify in writing the mission criticality and MAC assignment.\nThe Acting CIO stated that planned completion for this recommendation is\nJanuary 10, 2008.\n\n     Audit Response. The Army comments were responsive, and no further\ncomments are required.\n\n        Navy Comments. The Deputy CIO for Policy and Integration,\nresponding for the Navy CIO, concurred in principle, stating that the Navy CIO\nwill issue specific guidance on this subject after receipt of the final audit report.\n\n       Audit Response. The Navy comments were partially responsive. We\nrequest that the Navy provide comments on the final report indicating a\ncompletion date for Recommendation 2.j.\n\n        Defense Contract Management Agency Comments. The Acting\nDirector, Defense Contract Management Agency partially concurred, stating that\nthe recommendation does not apply to the Agency because it does not have any\nmission-critical systems designated as MAC III.\n\n        Audit Response. Although the Defense Contract Management Agency\npartially concurred, we consider comments responsive, and no further comments\nare required. While the CIO, Defense Contract Management Agency stated that\nthe agency does not have any systems designated as mission critical and MAC III,\nsystems designations are not static. We request that the agency be cognizant of\nsuch designations now, and in the future.\n\n        Defense Information Systems Agency Comments. The CIO, Defense\nInformation Systems Agency stated that he will review all MAC III systems\ndesignated as mission critical within 90 days of the issuance of the final report.\nThe CIO stated that the Agency will document the rationale for the designations\nand, if necessary, reclassify systems.\n\n       Audit Response. The Defense Information Systems Agency comments\nwere responsive, and no further comments are required.\n\n       Defense Threat Reduction Agency Comments. The CIO, Defense\nThreat Reduction Agency partially concurred, stating that the rationale should be\ndocumented in the System Information Security Plan required by the DoD\nInformation Assurance Certification and Accreditation Process.\n\n       Audit Response. The CIO, Defense Threat Reduction Agency comments\nwere partially responsive. The rationale to designate a system as mission-critical\n\n\n                                      34\n\x0c    and MAC III should be documented somewhere in the system\xe2\x80\x99s certification and\n    accreditation documentation. The CIO did not state, however, whether the\n    agency would require that owners of its Agency\xe2\x80\x99s information systems document\n    the rationale in certification and accreditation documentation. We request that the\n    Defense Threat Reduction Agency provide comments to the final report on\n    whether the agency plans to require that owners of its Agency\xe2\x80\x99s information\n    systems document the rationale in certification and accreditation documentation.\n\n            Marine Corps Comments. Although not required to respond, the\n    Director, Command, Control, Communications, and Computers concurred with\n    the recommendation, stating that systems that the public does not have access to\n    are designated as MAC III. The Director stated that the Marine Corps will work\n    with owners and program managers to complete the review and documentation to\n    validate mission-critical, mission-essential, and mission support status.\n\n\nManagement Comments Required\n    The U.S. Strategic Command and Business Transformation Agency did not\n    comment on the draft report issued on October 2, 2007; therefore, we request that\n    they provide comments on the final report. Although the Air Force and the\n    U.S. Transportation Command commented on the draft report, the comments did\n    not indicate concurrence with the recommendation, proposed actions, or\n    completion dates. The Defense Logistics Agency, Missile Defense Agency, and\n    TRICARE Management Activity concurred with the recommendations; however,\n    those agencies did not indicate proposed actions or completion dates.\n\n    In response to the final report, we request that management provide additional\n    comments on the recommendations. The comments should include elements in\n    the following table.\n\n\n                               Management Comments Required\n                                                    Statement        Statement    Statement\n                                                        of               of           of\n                                                  Concurrence or     Proposed    Completion\n     Recommendation           Organization        Nonconcurrence      Action        Date\n     2.a. through 2.j.         Air Force              needed          needed       needed\n\n                             U.S. Strategic           needed          needed       needed\n                              Command\n\n                           U.S. Transportation        needed          needed       needed\n                               Command\n\n                                Business              needed          needed       needed\n                         Transformation Agency\n\n\n\n\n                                        35\n\x0c                      Management Comments Required\n                                        Statement      Statement    Statement\n                                            of             of           of\n                                      Concurrence or   Proposed    Completion\nRecommendation      Organization      Nonconcurrence    Action        Date\n                  Defense Logistics      received       needed       needed\n                      Agency\n\n                   Missile Defense       received       needed       needed\n                      Agency\n\n                     TRICARE             received       needed       needed\n                 Management Agency\n\n\n\n\n                              36\n\x0cAppendix A. Scope and Methodology\n   We conducted this performance audit from January 2007 through October 2007 in\n   accordance with generally accepted government auditing standards. These\n   standards require that we plan and perform the audit to obtain sufficient,\n   appropriate evidence to provide a reasonable basis for our findings and\n   conclusions based on our audit objectives. We believe that the evidence obtained\n   provides a reasonable basis for our findings and conclusions based on our audit\n   objectives.\n\n   Audit Universe and Sample. We used the unclassified DITPR as our source of\n   information to determine the universe of DoD mission-critical systems requiring\n   information assurance certification and accreditation. We did not review systems\n   reported in the classified DITPR. We queried DITPR to identify systems that met\n   two criteria: each system had to require certification and accreditation, and be\n   mission-critical. Systems requiring certification and accreditation criteria are\n   required to have contingency plans that are tested on a regular basis. We\n   reviewed only mission-critical systems because the loss of the system information\n   would cause stoppage of warfighter operations or undermine mission support of\n   warfighter operations.\n\n   We queried the unclassified DITPR on January 24, 2007, the date of our audit\n   announcement. Our query resulted in a universe of 436 mission-critical systems\n   requiring information assurance certification and accreditation. The 436 systems\n   included 110 Army, 97 Navy, 85 Air Force, 50 Marine Corps, and 94 ODO. The\n   DoD Inspector General (IG) Quantitative Methods Directorate developed a\n   statistical sample plan for the 436 systems using a stratified sample design, which\n   resulted in an audit sample of 240 systems. The audit sample consisted of\n   60 Army, 54 Navy, 50 Air Force, 26 Marine Corps and 50 ODO systems. See\n   Appendix B for the 240 systems sampled.\n\n   We reviewed two contingency planning data fields in DITPR for the\n   240 information systems. The first was the \xe2\x80\x9ccontingency plan\xe2\x80\x9d data field in\n   which system owners report whether they developed a contingency plan for their\n   system. We asked the Components that had reported having developed a\n   contingency plan to provide the approved, signed copy of the contingency plan.\n   The second data element was the data field in which system owners report the\n   date they last tested their contingency plan. We requested that system owners\n   provide after-action or lessons-learned reports or any other documentation to\n   demonstrate that they tested the system\xe2\x80\x99s contingency plan on the date they\n   reported in DITPR. We provided the Components with the information we\n   extracted from DITPR on January 24, 2007.\n\n   We compared contingency plans, contingency plan testing documents, and CIO\n   DITPR Certification Memorandums with the requirements identified in DoD\n   Directive 5144.1, DoD Instruction 8500.2, DoD Instruction 5200.40, DoD\n   Manual 8510.1-M, FYs 2006 FISMA Guidance, and FY 2006 DITPR Guidance.\n   We interviewed information assurance officials from the Army, Navy, and Air\n   Force CIO offices.\n\n\n\n                                       37\n\x0cStatistical Sampling and Use of Technical Assistance. The Quantitative\nMethods Directorate developed the statistical sample design for the audit universe\nof 436 systems. We used two measures associated with the existence and testing\nof system contingency plans. The two measures required independent projections\nand were subject to Bonferroni corrections. We used a 95-percent individual\nconfidence level to calculate the statistical projections, which resulted in an\neffective 90-percent overall confidence level due to Bonferroni adjustment. The\nprojections apply to the universe of 436 information systems.\n\nTables A-1 and A-2 identify projections for the individual Components and\noverall for DoD. Our projections in Table A-1 show that we are 90 percent\nconfident that the owners of between 244 and 283 DoD mission-critical\ninformation systems did not prepare a contingency plan for their system. The\nunbiased point estimate of 264 systems is the most likely number of systems with\nno contingency plan.\n\n                   Table A-1. Systems Lacking Contingency Plans\n\n       Components                 Lower Bound             Point Estimate          Upper Bound\n Army                                   46                      57                      67\n Navy                                   59                      68                      77\n Air Force                              61                      68                      75\n Marine Corps                           45                      50                       *\n ODO                                     12                      21                      29\n Total DoD**                            244                     264                     283\n * Due to all sample systems with problems, projections are calculated using Exact Binomial\n distribution with one-tail and an effectively reduced confidence level for multiple estimates.\n ** Total DoD projections are computed independently and do not reflect the totals of the\n three columns.\n\n\nOur projections in Table A-2 show that we are 90 percent confident that owners\nof between 342 and 373 mission-critical information systems did not test or could\nnot provide evidence of testing their systems\xe2\x80\x99 contingency plans. The unbiased\npoint estimate of 358 systems is the most likely number of systems untested\ncontingency plans.\n\n\n\n\n                                           38\n\x0c                   Table A-2. Contingency Plans Lacking Testing\n      Component                 Lower Bound              Point Estimate          Upper Bound\n Army                                 90                       97                      104\n Navy                                 80                       86                       93\n Air Force                            79                       85                        *\n Marine Corps                         45                       50                       *\n ODO                                   30                       39                      49\n Total DoD**                          342                      358                     373\n * Due to all sample systems with problems, projections are calculated using Exact Binomial\n distribution with one-tail and an effectively reduced confidence level for multiple estimates.\n ** Total DoD projections are computed independently and do not reflect the totals of the\n three columns.\n\n\nOur projections in Table A-3 show that we are 90 percent confident of the\nfollowing.\n\n        \xe2\x80\xa2    Owners of between 23 and 50 DoD mission-critical information\n             systems did not correctly report in DITPR whether they had developed\n             contingency plans for their systems. The unbiased point estimate of\n             37 systems is the most likely number of systems with incorrect\n             information in the \xe2\x80\x9ccontingency plan\xe2\x80\x9d data field in DITPR.\n\n        \xe2\x80\xa2    Owners of between 398 and 422 DoD mission-critical information\n             systems did not correctly report in DITPR whether they had tested\n             their systems\xe2\x80\x99 contingency plans. The unbiased point estimate of\n             410 systems is the most likely number of systems with incorrect\n             information in the \xe2\x80\x9ccontingency plan last tested\xe2\x80\x9d data field in DITPR.\n\n            Table A-3. Systems With Inaccurate Information in DITPR\n       Component                 Lower Bound             Point Estimate          Upper Bound\n Reporting of\n Contingency Plan Not                   23                      37                      50\n Accurate\n Reporting of\n Contingency Plan                      398                     410                     422\n Testing Not Accurate\n\n\nUse of Computer-Processed Data. We did not use computer-processed data to\nperform this audit. We used the DITPR database for determining the audit\nuniverse and sample. DITPR, however, does not process data. The DoD\nComponents populate DITPR through data entry.\n\n\n                                             39\n\x0c    Government Accountability Office High-Risk Area. The Government\n    Accountability Office has identified several high-risk areas in DoD. This report\n    provides coverage of the Protecting the Federal Government\xe2\x80\x99s\n    Information-Sharing Mechanisms and the Nation\xe2\x80\x99s Critical Infrastructures\n    high-risk areas.\n\n\nPrior Coverage\n    During the last 5 years, DoD IG issued four reports discussing DITPR.\n    Unrestricted DoD IG reports can be accessed at\n    http://www.dodig.mil/audit/reports.\n\nDoD IG\n    DoD IG Report No. D-2007-099, \xe2\x80\x9cDoD Privacy Program and Privacy Impact\n    Assessments,\xe2\x80\x9d June 13, 2007\n\n    DoD IG Report No. D-2006-042, \xe2\x80\x9cSecurity Status for Systems reported in DoD\n    Information Technology Databases,\xe2\x80\x9d December 30, 2005\n\n    DoD IG Report No. D-2005-029, \xe2\x80\x9cManagement of Information Technology\n    Resources Within DoD,\xe2\x80\x9d January 27, 2005\n\n    DoD IG Report No. D-2003-008, \xe2\x80\x9cImplementation of the Government\n    Information Security Reform by the Defense Finance and Accounting Service for\n    the Defense Integrated Financial Systems,\xe2\x80\x9d October 7, 2002\n\n\n\n\n                                        40\n\x0cAppendix B. DoD Mission-Critical Systems\n            Sampled\n       We reviewed contingency planning information for the following\n       240 mission-critical systems as of January 24, 2007. We listed the systems first\n       by Component, then by DITPR identification number. System owners continue to\n       leave DITPR data fields blank or select \xe2\x80\x9cn/a\xe2\x80\x9d when reporting system information.\n       Based on audit analysis, the \xe2\x80\x9cContingency Plan Met Requirements\xe2\x80\x9d column\n       indicates whether the system contingency plan met requirements listed in\n       Appendix A.\n\n                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n             Army\n         1                                    81                yes                 no            Nov. 6, 2006*\n         2                                    85                yes                 no            May 4, 2006*\n         3                                    86                yes                yes           March 30, 2006\n         4                                   566                yes                yes            May 6, 2006*\n         5                                   568                yes                 no            May 16, 2006*\n         6                                   605                yes                yes            May 6, 2006*\n         7                                  1205                yes                 no             Jan. 8, 2006*\n         8                                  1207                yes                yes             Jan. 8, 2006*\n         9                                  1217                yes                yes             Jan. 8, 2006*\n       10                                   1292                yes                 no           March 30, 2006*\n       11                                   2540                yes                yes            June 6, 2006*\n       12                                   2561                yes                yes           Sept. 15, 2006*\n       13                                   2638                yes                yes            May 5, 2006*\n       14                                   2641                yes                 no           March 14, 2006*\n       15                                   2652                yes                 no            June 16, 2006*\n       16                                   2660                no                  no            May 19, 2006*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   41\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n       17                                   2668                yes                yes            May 6, 2006*\n       18                                   2672                yes                yes            May 31, 2006*\n       19                                   2675                yes                 no            June 14, 2006*\n       20                                   2707                no                 yes           March 22, 2006*\n       21                                   2727                yes                 no            Feb. 28, 2006*\n       22                                   2894                yes                 no            Aug. 8, 2006*\n       23                                   2933                yes                yes           April 24, 2006*\n       24                                   2960                yes                yes            Feb. 15, 2006*\n       25                                   2984                yes                 no            June 26, 2006*\n       26                                   2992                yes                yes            May 12, 2006*\n       27                                   2993                yes                yes            May 12, 2006*\n       28                                   3032                yes                yes           April 20, 2006*\n       29                                   3037               blank               yes            July 19, 2006*\n       30                                   3052                no                 yes            Jan. 10, 2006*\n       31                                   3325               blank               yes           April 27, 2006*\n       32                                   3340                yes                 no           April 12, 2006*\n       33                                   3378                yes                 no            Jan. 30, 2006*\n       34                                   3379                no                 yes            Oct. 27, 2006*\n       35                                   3381                yes                yes           March 30, 2006\n       36                                   3459                yes                 no            June 30, 2006*\n       37                                   3565                yes                 no            Feb. 28, 2006*\n       38                                   3612                yes                 no            May 4, 2006*\n       39                                   3668               blank                no                blank*\n       40                                   3674                yes                yes            July 14, 2006*\n       41                                   3712                yes                 no            May 1, 2006*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   42\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n       42                                   3714               blank                no                blank*\n       43                                   3719               blank               yes           Sept. 18, 2006*\n       44                                   3808                yes                 no            May 1, 2006*\n       45                                   3813                yes                yes            Aug. 25, 2006*\n       46                                   3872                yes                yes            Oct. 19, 2006*\n       47                                   3896                yes                 no           March 29, 2006*\n       48                                   3897                yes                 no            Feb. 27, 2006*\n       49                                   3905                yes                yes            Aug. 16, 2006*\n       50                                   3918                yes                 no            Aug. 15, 2006*\n       51                                   3983                yes                yes            Aug. 25, 2006*\n       52                                   3990                no                  no            Oct. 10, 2006*\n       53                                   4019                yes                yes            Dec. 1, 2006*\n       54                                   4034                yes                 no            July 31, 2006*\n       55                                   4078                yes                 no           March 14, 2006*\n       56                                   4079                yes                 no           March 14, 2006*\n       57                                   4096                yes                 no           March 14, 2006*\n       58                                   5188                yes                 no            July 31, 2006*\n       59                                   5910                yes                yes           March 12, 2006*\n       60                                   8470                yes                 no            May 15, 2006*\n             Navy\n       61                                    118                yes                yes            May 15, 2006*\n       62                                    320                yes                 no            May 18, 2006*\n       63                                   4370                yes                 no            June 29, 2006*\n       64                                   4393                yes                yes            Aug. 11, 2006*\n       65                                   4397                yes                yes             Jan. 23, 2006\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   43\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n       66                                   4430                yes                 no            Aug. 26, 2006*\n       67                                   4432                yes                 no            Aug. 22, 2006*\n       68                                   4433                yes                yes            June 2, 2006*\n       69                                   4449                yes                 no            Aug. 23, 2006*\n       70                                   4514                yes                 no           March 14, 2006*\n       71                                   4516                yes                 no            Aug. 24, 2006*\n       72                                   4528                yes                yes            May 5, 2006*\n       73                                   4559                yes                yes            Oct. 10, 2006*\n       74                                   4567                yes                 no            Aug. 1, 2006*\n       75                                   4652                no                  no            Jan. 17, 2007*\n       76                                   4654                no                  no            Jan. 17, 2007*\n       77                                   4736                yes                 no           March 16, 2006*\n       78                                   4764                yes                 no            Feb. 28, 2007*\n       79                                   4766                yes                 no            Jan. 17, 2007*\n       80                                   4800                yes                 no            July 19, 2006*\n       81                                   4807                yes                 no            Aug. 23, 2006*\n       82                                   4812                yes                yes           March 24, 2006*\n       83                                   4813                yes                yes            May 19, 2006*\n       84                                   4821                yes                yes           March 27, 2006*\n       85                                   4827                yes                yes            May 18, 2006*\n       86                                   4830                yes                yes            Oct. 24, 2002*\n       87                                   4836                yes                 no            Dec. 5, 2006*\n       88                                   4871                yes                 no            Aug. 22, 2006*\n       89                                   4927                yes                 no            June 29, 2006*\n       90                                   4932                n/a                 no            June 27, 2006*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   44\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n       91                                   4934                yes                 no            Dec. 18, 2006*\n       92                                   4947                yes                yes             July 31, 2006\n       93                                   4953                yes                 no           March 27, 2006*\n       94                                   4986                yes                 no            Nov. 1, 2005*\n       95                                   4989                no                  no            Jan. 17, 2007*\n       96                                   5002                yes                 no            Sept. 15, 2005*\n       97                                   5011                yes                yes            Feb. 13, 2006*\n       98                                   5016                yes                 no            July 31, 2006*\n       99                                   5021                yes                 no            Feb. 23, 2006*\n      100                                   5035                yes                 no           March 5, 2006*\n      101                                   5038                yes                 no            Aug. 22, 2006*\n      102                                   5042                yes                yes            May 10, 2006*\n      103                                   5050                yes                 no           April 15, 2006*\n      104                                   5117                yes                 no            May 25, 2006*\n      105                                   5119                yes                 no            Oct. 22, 2006*\n      106                                   5125                yes                 no           April 15, 2006*\n      107                                   5166                yes                yes             Oct. 8, 2007*\n      108                                   6872                yes                 no             July 1, 2006*\n      109                                   6971                yes                 no           Sept. 15, 2006*\n      110                                   6978                yes                 no            July 23, 2006*\n      111                                   8069                yes                 no            Feb. 28, 2006*\n      112                                   8163                yes                yes            Aug. 24, 2006*\n      113                                   8577               blank                no           Sept. 14, 2006*\n      114                                   8849               blank                no            Jan. 27, 2006*\n\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   45\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n             Marine Corps\n      115                                   4416                yes                 no            July 27, 2006*\n      116                                   4418                yes                 no            July 27, 2006*\n      117                                   4420                yes                 no            July 27, 2006*\n      118                                   4424                yes                 no            July 27, 2006*\n      119                                   4440                yes                 no            July 27, 2006*\n      120                                   4517                yes                 no            July 27, 2006*\n      121                                   4538                yes                 no            July 27, 2006*\n      122                                   4718                yes                 no            July 27, 2006*\n      123                                   4720                yes                 no            July 27, 2006*\n      124                                   4732                yes                 no            July 27, 2006*\n      125                                   4740                yes                 no            July 27, 2006*\n      126                                   4784                yes                 no            July 27, 2006*\n      127                                   4798                yes                 no            July 27, 2006*\n      128                                   4864                yes                 no            July 27, 2006*\n      129                                   4941                yes                 no            July 27, 2006*\n      130                                   4970                yes                 no            July 27, 2006*\n      131                                   4992                yes                 no            July 27, 2006*\n      132                                   5020                yes                 no             July 1, 2006*\n      133                                   5028                yes                 no            July 27, 2006*\n      134                                   5061                yes                 no            July 27, 2006*\n      135                                   5081                yes                 no            July 27, 2006*\n      136                                   5095                yes                 no            July 27, 2006*\n      137                                   5096                yes                 no            July 27, 2006*\n      138                                   5100                yes                 no            July 27, 2006*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   46\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n      139                                   5108                yes                 no            July 27, 2006*\n      140                                   5143                yes                 no            July 27, 2006*\n             Air Force\n      141                                    451                yes                yes            June 13, 2006*\n      142                                    879                yes                yes            Aug. 27, 2006*\n      143                                    939                yes                 no            June 3, 2006*\n      144                                    942                yes                 no            June 15, 2006*\n      145                                   1049                yes                yes            Aug. 23, 2006*\n      146                                   1298                yes                yes            Jan. 30, 2006*\n      147                                   1460                yes                 no            June 30, 2006*\n      148                                   1711                yes                 no            July 14, 2006*\n      149                                   1725                yes                 no            Aug. 6, 2006*\n      150                                   1848                yes                yes            April 1, 2005*\n      151                                   1876                yes                 no           March 7, 2006*\n      152                                   1948                yes                 no            July 15, 2002*\n      153                                   2004                yes                 no            May 12, 2006*\n      154                                   2049                yes                 no            June 1, 2004*\n      155                                   2077                yes                 no            Aug. 11, 2006*\n      156                                   2143                yes                 no                blank*\n      157                                   2145                yes                 no                blank*\n      158                                   2173                yes                 no            Jan. 18, 2006*\n      159                                   2223                yes                 no            Aug. 3, 2006*\n      160                                   2226                yes                 no           March 3, 2005*\n      161                                   2229                yes                yes            Nov. 20, 2006*\n      162                                   2395                yes                 no            Oct. 25, 2006*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   47\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n      163                                   2448                yes                 no             July 1, 2006*\n      164                                   2454                yes                 no            Oct. 30, 2006*\n      165                                   5851                yes                 no            Oct. 20, 2006*\n      166                                   5885                yes                 no            Aug. 15, 2004*\n      167                                   6666                yes                 no            June 15, 2006*\n      168                                   7164                yes                 no            July 14, 2006*\n      169                                   7319                yes                 no           April 26, 2006*\n      170                                   7728                yes                 no            Oct. 28, 2005*\n      171                                   7743                yes                 no            June 21, 2006*\n      172                                   7778                yes                 no            Oct. 18, 2006*\n      173                                   7796                yes                yes           March 31, 2006*\n      174                                   7797                yes                 no            Jan. 12, 2006*\n      175                                   7798                yes                 no            Nov. 16, 2005*\n      176                                   7799                yes                 no            Nov. 22, 2005*\n      177                                   7801                yes                yes            Jan. 12, 2006*\n      178                                   7802                yes                 no            Jan. 19, 2006*\n      179                                   7803                yes                 no            Jan. 23, 2006*\n      180                                   7804                yes                 no            Jan. 23, 2006*\n      181                                   7806                yes                 no            Jan. 12, 2006*\n      182                                   7820                yes                 no            Feb. 10, 2006*\n      183                                   7854                yes                 no            Nov. 11, 2006*\n      184                                   7864                yes                 no            Dec. 19, 2005*\n      185                                   8265                yes                 no            July 18, 2006*\n      186                                   8321                yes                yes            July 14, 2006*\n      187                                   8351                yes                 no            Jan. 12, 2006*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   48\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n      188                                   8367                yes                 no            Jan. 23, 2006*\n      189                                   8751                yes                 no            Aug. 16, 2006*\n      190                                   8752                yes                yes           April 14, 2006*\n             U.S. Transportation Command\n      191                                    348                yes                yes             Jan. 10, 2007\n      192                                    349                yes                 no           March 2, 2006*\n      193                                    354                yes                yes            May 18, 2006*\n      194                                    359                yes                yes             Nov. 1, 2006\n      195                                    369                yes                yes            Nov. 7, 2006*\n      196                                    370                yes                yes            Jan. 15, 2006*\n      197                                    374                yes                yes            June 15, 2006\n      198                                    376                yes                yes             July 7, 2006\n      199                                    487                yes                yes             July 7, 2006\n      200                                   1352                yes                yes            July 19, 2006*\n      201                                   3093                yes                yes            Feb. 6, 2006*\n      202                                   3112                yes                yes            April 10, 2006\n      203                                   4227                yes                yes            June 19, 2006*\n      204                                   4238                yes                yes            Oct. 23, 2006*\n             U.S. Strategic Command\n      205                                   3120                yes                yes            Dec. 8, 2006*\n             ASD(NII)/CIO\n\n      206                                   3264                yes                yes           Sept. 28, 2005*\n             Business Transportation Agency\n      207                                   6501               blank               yes            Oct. 23, 2006*\n\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   49\n\x0c                                                          Component                               Component\n                                                           Reported                              Reported Date\n                                          DITPR           Contingency        Contingency          Contingency\nSampled                                Identification        Plan              Plan Met            Plan Last\n System      Component                   Number            Developed         Requirements           Tested\n\n             Defense Contract Management Agency\n      208                                    423                yes                 no            Feb. 3, 2006*\n              Defense Information Systems Agency\n      209                                   3106                yes                 no            May 27, 2005*\n      210                                   3150                yes                yes            May 17, 2006*\n      211                                   3189                yes                 no            April 8, 2006*\n      212                                   3194                yes                yes            May 25, 2006*\n      213                                   3196                yes                yes            Nov. 12, 2006*\n      214                                   3200                yes                yes            May 21, 2006*\n      215                                   3205                yes                 no             Aug. 6, 2006\n      216                                   3210                yes                yes           March 3, 2006*\n      217                                   3212                yes                yes            June 14, 2006*\n      218                                   3220                yes                yes            May 19, 2006*\n      219                                   3224                yes                yes            Aug. 1, 2005*\n      220                                   3236                yes                 no           April 18, 2006*\n      221                                   3245                yes                yes            July 10, 2006*\n      222                                   3249                yes                yes           Sept. 26, 2006*\n      223                                   3253                yes                 no           April 18, 2006*\n      224                                   3259                yes                yes            June 17, 2006*\n      225                                   7496                yes                yes            May 19, 2006*\n      226                                   7895                yes                yes            July 10, 2006*\n      227                                   7902               blank                no             Aug. 6, 2006\n      228                                   7903                yes                yes           March 11, 2006*\n      229                                   8546               blank                no             July 2, 2005*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                   50\n\x0c                                                           Component                              Component\n                                                            Reported                             Reported Date\n                                           DITPR           Contingency       Contingency          Contingency\nSampled                                 Identification        Plan             Plan Met            Plan Last\n System      Component                    Number            Developed        Requirements           Tested\n\n             Defense Logistics Agency\n      230                                    280                yes                yes            July 28, 2003*\n      231                                    281                yes                yes            Feb. 28, 2004*\n      232                                    286                yes                yes             Dec. 2, 2005\n      233                                    288                yes                yes            Aug. 17, 2006\n      234                                    8563               yes                yes            Aug. 16, 2006*\n             Defense Threat Reduction Agency\n      235                                    3183               yes                yes            Oct. 21, 2005*\n      236                                    4260               yes                yes            Oct. 21, 2005*\n      237                                    7550                no                 no                blank*\n             Missile Defense Agency\n      238                                    4295               yes                 no            Aug. 23, 2006*\n             TRICARE Management Agency\n      239                                    138                yes                yes            April 13, 2006*\n      240                                    164                yes                yes            Oct. 31, 2006*\n* Based on the analysis of the evidence system owner provided, the owner did not report the correct date in DITPR\nof the last test of the system\xe2\x80\x99s contingency plan.\n\n\n\n\n                                                    51\n\x0cAppendix C. Management Comments on the\n            Finding, Unsolicited Comments on\n            the Finding and Recommendations,\n            and Audit Response\n   The Air Force, U.S. Transportation Command, and the Defense Contract\n   Management Agency provided comments on the finding section of the report.\n   Although not required to comment, the Marine Corps also commented on the\n   finding and the Defense Threat Reduction Agency commented on\n   Recommendation 1.\n\n   Management Comments on the Finding, and Audit Response\n   Air Force Comments. The CIO, Air Force stated that on April 17, 2007, he\n   released a detailed Instruction on contingency plan development, which was\n   included in the Air Force FY 2007 FISMA Reporting Guidance. The\n   Air Force CIO stated that the Air Force FY 2007 FISMA Reporting Guidance\n   required system owners to use Special Publication 800-34 to develop and\n   maintain a viable contingency planning program. The Air Force CIO stated that\n   the Air Force plans to incorporate contingency planning procedures in Special\n   Publication 800-34 into Air Force policy. The CIO also stated that the Air Force\n   will audit contingency plan development and testing plan to ensure gaps are\n   identified, training is relevant, and exercises are conducted and documented to\n   improve plan effectiveness.\n\n   Audit Response. We commend the Air Force for taking corrective action on\n   some of the issues identified in this report.\n\n   U.S. Transportation Command Comments. The Director, Program Analysis\n   and Financial Management, commenting for the U.S. Transportation Command\n   CIO, stated that the one system contingency plan we determined did not meet\n   requirements was updated and subsequently tested in July 2007. The Director\n   also stated that six of the eight systems we determined did not have correct\n   contingency plan test dates in DITPR were tested in accordance with DoD policy;\n   however, the DITPR Guidance allows owners 30 days to update their system\n   information in DITPR. The Director stated that he attributed the incorrect dates\n   in DITPR to the latency requirement for reporting information in DITPR.\n\n   The Director further said that the U.S. Transportation Command developed and\n   standardized templates, based on DoD Instruction 8500.2, to assist system\n   managers in developing contingency plans and documenting plan results. The\n   Director stated that U.S. Transportation Command requested and receives Plans\n   of Actions and Milestones from system managers, continuously monitors the\n   plans, and assists managers when they submit inadequate documentation.\n\n   Audit Response. We commend the U.S. Transportation Command for taking\n   corrective action on some of the issues identified in this report.\n\n\n                                      52\n\x0cDefense Contract Management Agency Comments. The Acting Director,\nDefense Contract Management Agency stated that owners of Defense Contract\nManagement Agency systems have contingency plans. The Acting Director\nstated that the Defense Information Systems Agency hosts and operates the\nsystem we reviewed and prepared a contingency plan for the system. The Acting\nDirector stated that although the owner of the system reported an incorrect date in\nDITPR in January 2007, the agency entered the correct date on May 15, 2007, and\npromptly notified our office.\n\nAudit Response. We commend the Defense Contract Management Agency for\ntaking corrective action on some of the issues identified in this report.\n\nUnsolicited Comments on the Finding, and Audit Response\nMarine Corps Comments. The Director, Marine Corps Command, Control,\nCommunications and Computers stated that, to meet information assurance\nreporting requirements, the Marine Corps identified three enclaves. The enclaves\ninclude garrison and tactical information systems and networks located in or on\nMarine Corps bases, posts, camps, stations, and major subordinate commands.\nThe Director stated that all networks, networked systems, and other information\nsystems are certified and accredited to operate in one of the three enclaves and\ndocumented in the approved enclave System Security Authorization Agreement.\n\nThe Director stated that the Marine Corps agreed with the findings that system\nowners for 100 percent of Marine Corps information systems did not show that\ncontingency plans were developed and tested. The Director stated that the\nMarine Corps will demonstrate system accountability in a Plan of Action and\nMilestones. The Director further stated that although the initial submission of test\nand after action reports did not explicitly identify the systems under review,\nadditional documents were provided indicating the location of each system and to\nwhich enclave the system belonged.\n\nAudit Response. Marine Corps system owners provided one document during\ntheir initial submission of documents for all 26 systems sampled\xe2\x80\x94an appendix\nfrom the Marine Corps Logistics Command Security System Authorization\nAgreement\xe2\x80\x94as evidence that they had prepared contingency plans for the\n26 systems. Marine Corps system owners also provided a memorandum stating\nthat the appendix covered contingency planning procedures for the 26 systems\nunder review. The five-page appendix, however, did not mention the 26 systems\nor provide contingency planning procedures for the systems.\n\nPrior to a briefing we conducted with Marine Corps officials on the preliminary\nresults of this audit, Marine Corps officials provided a spreadsheet that identified\nthe locations of the 26 Marine Corps information systems we reviewed. The\nspreadsheet, however, did not identify the enclave to which the 26 systems\nbelonged. Additionally, the spreadsheet indicated that only 4 of the 26 systems we\nreviewed were covered by the Marine Corps Logistics Command Security System\nAuthorization Agreement, the only document they provided us initially. We did\nnot consider the spreadsheet sufficient evidence that owners of the 26 systems we\nreviewed developed and tested the systems\xe2\x80\x99 contingency plans. The system\n\n\n                                     53\n\x0cboundaries and enclaves to which the system belongs should be recorded in the\nsystem\xe2\x80\x99s certification and accreditation documents, not in a spreadsheet generated\nspecifically for the audit team.\n\nUnsolicited Comments on the Recommendations\nDefense Threat Reduction Agency Comments. Although not required to\nrespond, the CIO, Defense Threat Reduction Agency commented on\nRecommendation 1. The CIO stated that the lack of detailed DoD guidance on\ncontingency planning impedes the Agency\xe2\x80\x99s ability to develop, test, and approve\ncontingency plans for information systems. The CIO stated that the Agency\nwould benefit from a supplement on testing contingency plans and improving its\nDITPR data quality and integrity. The CIO also stated that clarification of the\ndefinitions for contingency plan and continuity of operation plans would\neliminate inappropriate substitution of one term for the other. Lastly, the CIO\nstated that implementation of a training program in contingency planning would\nbenefit the Agency by developing individuals with the skills to complete\ncontingency plans.\n\n\n\n\n                                    54\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Director, Defense Business Transformation Agency\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Health Affairs/Chief Information Officer\nAssistant Secretary of Defense for Networks and Information Integration/Chief\n   Information Officer\nChief Information Officer, Office of the Secretary of Defense\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\nChief Information Officer, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\nChief Information Officer, Department of the Army\n\nDepartment of the Navy\nAuditor General, Department of the Navy\nChief Information Officer, Department of Navy\n  Deputy Chief Information Officer, U.S. Marine Corps\nNaval Inspector General\nAssistant Secretary of the Navy (Manpower and Reserve Affairs)\n\nDepartment of the Air Force\nChief Information Officer, Department of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\n\n\n\n                                          55\n\x0cCombatant Commands\nCommander, U.S. Strategic Command\nCommander, U.S. Transportation Command\nChief Information Officer, U.S. Central Command\nChief Information Officer, U.S. European Command\nChief Information Officer, U.S. Joint Forces Command\n  Inspector General, U.S. Joint Forces Command\nChief Information Officer, U.S. Northern Command\nChief Information Officer, U.S. Pacific Command\nChief Information Officer, U.S. Special Operations Command\nChief Information Officer, U.S. Southern Command\nChief Information Officer, U.S. Strategic Command\nChief Information Officer, U.S. Transportation Command\n\nOther Defense Organizations\nDirector, Defense Contract Management Agency\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, Defense Threat Reduction Agency\nDirector, Missile Defense Agency\nDirector, TRICARE Management Activity\nChief Information Officer, U.S. Mission North Atlantic Treaty Organization\nChief Information Officer, Defense Advanced Research Projects Agency\nChief Information Officer, Defense Contract Audit Agency\nChief Information Officer, Defense Contract Management Agency\nChief Information Officer, Defense Commissary Agency\nChief Information Officer, Defense Finance and Accounting Agency\nChief Information Officer, Defense Information Systems Agency\nChief Information Officer, Defense Logistics Agency\nChief Information Officer, Department of Defense Inspector General\nChief Information Officer, Defense Security Cooperation Agency\nChief Information Officer, Defense Security Service\nChief Information Officer, Defense Threat Reduction Agency\nChief Information Officer, Missile Defense Agency\nChief Information Officer, Pentagon Force Protection Agency\nChief Information Officer, Armed Forces Information Service\nChief Information Officer, Defense Technical Information Center\nChief Information Officer, Defense Technology Security Administration\nChief Information Officer, Department of Defense Education Activity\nChief Information Officer, Defense Human Resource Activity\nChief Information Officer, DoD Test Resources Management Center\nChief Information Officer, TRICARE Management Activity\nChief Information Officer, Washington Headquarters Service\n\n\n\n\n                                          56\n\x0cNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs, Committee on Oversight\n  and Government Reform\nHouse Subcommittee on Technology and Innovation, Committee on Science\n  and Technology\n\n\n\n\n                                        57\n\x0c\x0cAssistant Secretary of Defense for Networks and\nInformation Integration Comments\n\n\n\n\n                       59\n\x0c60\n\x0c61\n\x0c62\n\x0c63\n\x0c64\n\x0c65\n\x0c66\n\x0c67\n\x0cDepartment of the Army Comments\n\n\n\n\n                    68\n\x0c69\n\x0c70\n\x0c71\n\x0c72\n\x0c73\n\x0c74\n\x0c75\n\x0c76\n\x0cDepartment of the Navy Comments\n\n\n\n\n                    77\n\x0c78\n\x0c79\n\x0cDepartment of the Air Force Comments\n\n\n\n\n                     80\n\x0cU.S Transportation Command Comments\n\n\n\n\n                   81\n\x0c82\n\x0cDefense Contract Management Agency\nComments\n\n\n\n\n                    83\n\x0c84\n\x0c85\n\x0c86\n\x0cDefense Information Systems Agency Comments\n\n\n\n\n                     87\n\x0c88\n\x0c89\n\x0c90\n\x0cDefense Logistics Agency Comments\n                                     Final Report\n                                      Reference\n\n\n\n\n                                    Attachment 1\n                                    Omitted\n\n\n\n\n                     91\n\x0cDefense Threat Reduction Agency Comments\n\n\n\n\n                    92\n\x0c93\n\x0c94\n\x0c95\n\x0c96\n\x0c97\n\x0cMissile Defense Agency Comments\n\n\n\n\n                     98\n\x0cTRICARE Management Activity Comments\n\n\n\n\n                   99\n\x0c100\n\x0c101\n\x0cU.S. Marine Corps Comments\n\n\n\n\n                    102\n\x0c103\n\x0c104\n\x0c105\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nRobert F. Prinzbach II\nKimberley A. Caprio\nKaren J. Goff\nBarry Gay\nDawn M. Russell\nBrenda M. Steib\nDharam V. Jain\nAllison E. Tarmann\n\x0c\x0c'